Image generated by OpenAI's DALL·E
Microsoft Teams as a gateway – who would have thought? The ransomware group Black Basta is currently showing how targeted modern attacks are against the everyday tools used by companies. Instead of classic phishing emails, Black Basta uses Microsoft Teams chats to infiltrate internal systems posing as IT support. With the help of fake accounts and deceptively real QR codes, they bypass security mechanisms such as multi-factor authentication and gain direct access to sensitive data. This attack underscores that IT security is more than just technical hurdles – it requires vigilance and protection right down to the usual communication channels.
Black Basta and social engineering tactics
The hacker group Black Basta is no longer an unknown name in the cybersecurity world. It has made a name for itself with targeted ransomware attacks on companies, data leaks and threats to publish confidential information. But instead of continuing to rely on tried and tested methods, Black Basta has partially adapted its tactics and now intervenes directly in companies' work processes - using Microsoft Teams as an attack tool.
The approach is as simple as it is effective. Black Basta uses external user accounts from Entra ID Tenants (Microsoft's identity and access management solution) and poses as IT support. Names such as "Help Desk" or "Support Service Admin" suggest a credible connection, especially when employees experience massive email spam attacks and then receive supposed support in the Teams chat. The attackers use fake accounts such as supportadminstrator.onmicrosoft[.]com or cybersecurityadmin.onmicrosoft[.]com, creating an authentic but dangerous environment for their victims.
Bypassing Multi Factor Authentication
One particular detail: The method even bypasses security measures such as multi-factor authentication (MFA). By getting employees to install remote access tools such as AnyDesk or QuickAssist themselves, attackers can bypass MFA - after all, the employees initiated the access and thus bypassed the upstream security layers. This type of social engineering exploits the credulity and trust of employees and turns them into involuntary accomplices of the attackers.
Mail bombing and VoIP calls as deception
Another well-known tactic used by attackers is email bombing: victims are flooded with countless spam messages that arrive every second, causing confusion and overwhelm. As a result of this digital attack, those affected often seek help from their company's internal help desk - an opportunity that the criminals deliberately exploit. To further reinforce the deception, attackers also use VoIP calls in which they pretend to be trustworthy IT support employees. These calls give the attack additional credibility and often convince victims to follow instructions and, for example, install remote maintenance software, which ultimately gives the perpetrators direct access to the company systems.
QR codes as a tool for targeted attacks
However, Black Basta does not stop at simple Teams messages. The attackers also send QR codes that link to deceptively real phishing pages. These domains often mimic the name of the company being attacked - for example, the QR code could link to company.qr-s1[.]com. The employee is tricked into scanning the code and is then unknowingly directed to a page that is used to steal further access information or to grant direct remote access to the device.
Indicators of Compromise (IoCs)
To identify potentially vulnerable systems, organizations should monitor the following Indicators of Compromise (IoCs):
Fake Entra ID Accounts: Examples of dangerous domains used by Black Basta include:
securityadminhelper.onmicrosoft[.]com
supportserviceadmin.onmicrosoft[.]com
supportadministrator.onmicrosoft[.]com
cybersecurityadmin.onmicrosoft[.]com
Malware-related QR code domains:
qr-s1[.]com
qr-s2[.]com
qr-s3[.]com
qr-s4[.]com
These indicators can serve as a starting point to identify suspicious activity and intercept potential attacks early. It is important to note that these IoCs can and will change - this list should not be used as the only identifying feature. The known IoCs have been published by ReliaQuest and MyCERT .
Real-World-Attacks
The Black Basta ransomware group has already successfully attacked several prominent companies using this method, according to the portal UCTODAY. Victims include the British water utility Southern Water, the insurance provider Corvus and the outsourcing company Capita. The attack on Capita was particularly serious, costing the company an estimated $15-20 million.
Security Strategy: How Companies Should Respond to the Threat
The Black Basta attack on Microsoft Teams shows how important a flexible and comprehensive security strategy is. A key measure is controlling and restricting external access in Microsoft Teams. Through targeted configurations, companies can restrict access for external contacts and ensure that employees are automatically warned of messages from external users. This transparency helps to identify potentially dangerous contacts at an early stage and at the same time provides a first line of defense.
Another important approach is to control remote access tools such as AnyDesk or QuickAssist, which Black Basta uses for its attacks. Companies should set clear rules about which remote tools can be used for IT support and limit use to these programs by "whitelisting". Regular monitoring ensures that unauthorized access is detected before the attackers can cause damage.
In addition, advanced authentication methods should be used to reduce the risk of social engineering attacks. Multi-factor authentication (MFA) remains a key protection, but social engineering techniques can bypass MFA if employees are persuaded to install tools that give attackers access. One approach to additional security is behavioral analysis: These systems detect unusual activities - such as the sudden installation of new remote tools - and raise an alarm when user behavior deviates from the usual patterns.
As attacks using fake domains and QR codes are increasingly used, early detection of such threats is crucial. Security solutions should automatically identify new and suspicious domains that are similar to the company name and block them if necessary. At the same time, it is important to train employees to recognize suspicious QR codes and exercise caution when in doubt.
Regular, hands-on training is one of the best defense strategies against social engineering. Employee knowledge and awareness are key protective factors that can be strengthened through realistic training programs and targeted simulations. Phishing simulations and exercises that train employees to recognize fake Teams messages turn employees into active defenders of company security while strengthening their confidence in their own abilities.
This combined strategy of technical measures and continuous awareness creates a resilient security culture that helps companies effectively counter attacks like those from Black Basta and protect themselves as best as possible.
Conclusion
In the world of cyber security, nothing stays constant for long. The attacks by groups like Black Basta show how flexible and creative threat actors are today and that new attack vectors - like Microsoft Teams - can quickly become popular gateways.
Even if a well-thought-out combination of technical measures and regular awareness-raising protects employees and systems well, development in this area is never complete. Companies must be prepared to continuously adapt their strategies and identify new threats at an early stage. Cyber security is not a one-off project, but an ongoing process that continuously develops companies and their protective measures.
In this case too - the attack path and methods will change and adapt slightly over time.