The Black Basta ransomware group is targeting businesses by impersonating Microsoft support.

Black Basta uses social engineering tactics, starting with a flood of spam emails. They then send malicious messages via Microsoft Teams, posing as IT support staff using the .onmicrosoft.com domain.

The attackers send legitimate looking but harmful links or QR codes in Teams chats. These links can trick victims into installing remote-access software like AnyDesk or QuickAssist, allowing attackers to gain control of their computers.

The ultimate goal is to breach company systems and lock up internal data for a ransom. This method has been a common strategy for cybercriminals for years.

The article advises changing Microsoft Teams security settings to disable messages or calls from unknown users, ensuring email spam filters are properly set up, and being cautious of unsolicited support contacts.

https://www.pcmag.com/news/ransomware-group-impersonates-microsoft-support-to-breach-businesses and https://www.uctoday.com/unified-communications/black-basta-ransomware-impersonates-teams-it-support-attacks-100s-of-businesses/

Commentary

According to the source, Black Basta has been active since at least 2022, attacking more than 329 organizations globally and earning an estimated $107 million through ransomware attacks.

At the heart of many social engineering campaigns is the purpose of creating panic and then swooping in to help you solve the problem created by the criminals. In this case, Black Basta flood inboxes with spam and then reaches out impersonating Microsoft support claiming to be able to solve the problem while placing ransomware on your system. 

First, never panic.

Second, always question unexpected messages (even those claiming to help).

Third, investigate the problem online. It is likely you are not the first and you will find a thread describing the scam.

Fourth, always reach out independently to a software provider. Never use the contact information from spam.

The real Microsoft domain for official communications is typically microsoft.com. For example, email addresses and links from Microsoft would look like support@microsoft.com or https://www.microsoft.com.

In contrast, the Black Basta ransomware group has been using fake domains that mimic Microsoft's format but are not legitimate. These fake domains often include .onmicrosoft.com but with misleading prefixes. Some examples of these fake domains are:

• 1helpyou.onmicrosoft.com
• Assistingyou.onmicrosoft.com
• Spamshieldmanager.onmicrosoft.com
• Supporthelper.onmicrosoft.com

The final takeaway is stay vigilant and verify the authenticity of any communication that claims to be from Microsoft, especially if it includes unusual requests or links.

Additional sources: https://www.reliaquest.com/blog/black-basta-social-engineering-technique-microsoft-teams/