{
	"id": "93c5a284-c866-4f30-820e-bfcd1b46717e",
	"created_at": "2026-04-06T00:08:29.139518Z",
	"updated_at": "2026-04-10T13:12:15.515767Z",
	"deleted_at": null,
	"sha1_hash": "bd5bd74d8047b99a547699fa3fdfc49639d4c358",
	"title": "BazaCall: Phony call centers lead to exfiltration and ransomware | Microsoft Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 729049,
	"plain_text": "BazaCall: Phony call centers lead to exfiltration and ransomware |\r\nMicrosoft Security Blog\r\nBy Microsoft Threat Intelligence\r\nPublished: 2021-07-29 · Archived: 2026-04-02 11:43:07 UTC\r\nOur continued investigation into BazaCall campaigns, those that use fraudulent call centers that trick unsuspecting\r\nusers into downloading the BazaLoader malware, shows that this threat is more dangerous than what’s been\r\ndiscussed publicly in other security blogs and covered by the media. Apart from having backdoor capabilities, the\r\nBazaLoader payload from these campaigns also gives a remote attacker hands-on-keyboard control on an affected\r\nuser’s device, which allows for a fast network compromise. In our observation, attacks emanating from the\r\nBazaCall threat could move quickly within a network, conduct extensive data exfiltration and credential theft, and\r\ndistribute ransomware within 48 hours of the initial compromise.\r\nAdditional resources\r\nProtect your organization against ransomware: aka.ms/ransomware\r\nLearn how attackers operate: Human-operated ransomware attacks: A preventable disaster\r\nBazaCall campaigns forgo malicious links or attachments in email messages in favor of phone numbers that\r\nrecipients are misled into calling. It’s a technique reminiscent of vishing and tech support scams where potential\r\nvictims are being cold-called by the attacker, except in BazaCall’s case, targeted users must dial the number. And\r\nwhen they do, the users are connected with actual humans on the other end of the line, who then provide step-by-step instructions for installing malware into their devices. Thus, BazaCall campaigns require direct phone\r\ncommunication with a human and social engineering tactics to succeed. Moreover, the lack of obvious malicious\r\nelements in the delivery methods could render typical ways of detecting spam and phishing emails ineffective.\r\nFigure 1. The flow of a typical BazaCall attack, from the spam email to social engineering to the payload being\r\ndownloaded and hands-on-keyboard attacks\r\nhttps://www.microsoft.com/en-us/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/\r\nPage 1 of 10\n\nThe use of another human element in BazaCall’s attack chain through the abovementioned hands-on-keyboard\r\ncontrol further makes this threat more dangerous and more evasive than traditional, automated malware attacks.\r\nBazaCall campaigns highlight the importance of cross-domain optics and the ability to correlate events in building\r\na comprehensive defense against complex threats.\r\nMicrosoft 365 Defender orchestrates protection across domains to deliver coordinated defense. In the case of\r\nBazaCall, Microsoft Defender for Endpoint detects malware and attacker behavior resulting from the campaign,\r\nand these signals inform Microsoft Defender for Office 365 protections against related emails, even if these emails\r\ndon’t have the typical malicious artifacts. Microsoft threat analysts who constantly monitor BazaCall campaigns\r\nenrich the intelligence on this threat and enhance our ability to protect customers.\r\nIn this blog post, we discuss how a recent BazaCall campaign attempts to compromise systems and networks\r\nthrough the mentioned human elements and how Microsoft defends against it.\r\nOut with the links and attachments, in with the customer service phone numbers\r\nBazaCall campaigns begin with an email that uses various social engineering lures to trick target recipients into\r\ncalling a phone number. For example, the email informs users about a supposed expiring trial subscription and that\r\ntheir credit card will soon be automatically charged for the subscription’s premium version. Each wave of emails\r\nin the campaign uses a different “theme” of subscription that is supposed to be expiring, such as a photo editing\r\nservice or a cooking and recipes website membership. In a more recent campaign, the email does away with the\r\nsubscription trial angle and instead poses as a confirmation receipt for a purchased software license.\r\nUnlike typical spam and phishing emails, BazaCall’s do not have a link or attachment in its message body that\r\nusers must click or open. Instead, it instructs users to call a phone number in case they have questions or concerns.\r\nThis lack of typical malicious elements—links or attachments—adds a level of difficulty in detecting and hunting\r\nfor these emails. In addition, the messaging of the email’s content might also add an air of legitimacy if the user\r\nhas been narrowly trained to avoid typical phishing and malware emails but not taught to be wary of social\r\nengineering techniques.\r\nhttps://www.microsoft.com/en-us/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/\r\nPage 2 of 10\n\nFigure 2. A typical BazaCall email, claiming that the user’s trial for a photo editing service will soon expire, and\r\nthat they will be automatically charged. A fake customer service number is provided to help cancel the\r\nsubscription.\r\nEach BazaCall email is sent from a different sender, typically using free email services and likely-compromised\r\nemail addresses. The lures within the email use fake business names that are similar to the names of real\r\nbusinesses. A recipient who then searches the business name online to check the email’s legitimacy may be led to\r\nbelieve that such a company exists and that the message they received has merit.\r\nSome sample subject lines are listed below. They each have a unique “account number” created by the attackers to\r\nidentify the recipients:\r\nSoon you’ll be moved to the Premium membership, as the demo period is ending. Personal ID: KT[unique\r\nID number]\r\nAutomated premium membership renewal notice GW[unique ID number] ?\r\nYour demo stage is nearly ended. Your user account number VC[unique ID number]. All set to continue?\r\nNotification of an abandoned road accident site! Must to get hold of a manager! [body of email contains\r\nunique ID number]\r\nhttps://www.microsoft.com/en-us/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/\r\nPage 3 of 10\n\nThanks for deciding to become a member of BooyaFitness. Fitness program was never simpler before\r\n[body of email contains unique ID number]\r\nYour subscription will be changed to the gold membership, as the trial is ending. Order: KT[unique ID\r\nnumber]\r\nYour free period is almost ended. Your member’s account number VC[unique ID number]. Ready to move\r\nforward?\r\nThank you for getting WinRAR pro plan. Your order # is WR[unique ID number].\r\nMany thanks for choosing WinRAR. You need to check out the information about your licenses [body of\r\nemail contains unique ID number]\r\nWhile the subject lines in most of the observed campaigns contain similar keywords and occasional emojis, each\r\none is unique because it includes an alphanumeric sequence specific to the recipient. This sequence is always\r\npresented as a user ID or transaction code, but it actually serves as a way for the attacker to identify the recipient\r\nand track the latter’s responses to the campaign. The unique ID numbers largely follow the same pattern, which\r\nthe regular expression [A-Z]{1,3}(?:\\d{9,15}) can surface, for example, L0123456789 and KT01234567891.\r\nIn one recent BazaCall campaign, the unique ID was present in the body of the email, but not in the subject line:\r\nFigure 3. A recent BazaCall email with the unique ID present only in the message body.\r\nIf a target recipient does decide to call the phone number indicated in the email, they will speak with a real person\r\nfrom a fraudulent call center set up by BazaCall’s operators. The call center agent serves as a conduit to the next\r\nphase of the attack: during their conversation, an agent tells the caller they can help cancel the supposed\r\nsubscription or transaction. To do so, the agent asks the caller to visit a website.\r\nhttps://www.microsoft.com/en-us/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/\r\nPage 4 of 10\n\nThese websites are designed to look like legitimate businesses, some of which even impersonate actual\r\ncompanies. However, we have noted that some domain names do not always match the name of the fictitious\r\nbusiness included in the email. For example, an email claiming that a user’s free trial for “Pre Pear Cooking” was\r\nset to expire was paired with the domain, “topcooks[.]us”.\r\nFigure 4. A sample website used in the BazaCall campaign. It mimics a real recipe website but is attacker-controlled.\r\nThe call center agent then instructs the user to navigate to the account page and download a file to cancel their\r\nsubscription. The file is a macro-enabled Excel document, with names such as “cancel_sub_[unique ID\r\nnumber].xlsb.” Note that in some instances, we observed that even if security filters such as Microsoft Defender\r\nSmartScreen are enabled, users intentionally bypass it to download the file, which indicates that the call center\r\nagent is likely instructing the user to circumvent security protocols, with the threat that their credit cards will be\r\ncharged if they don’t. Again, this demonstrates the effectiveness of social engineering tactics used in BazaCall\r\nattacks.\r\nThe downloaded Excel file displays a fake notification that it is protected by Microsoft Office. The call center\r\nagent then instructs the user to click on the button that enables editing and content (macros) to view the\r\nspreadsheet’s contents. If the user enables the macro, BazaLoader malware is delivered to the device.\r\nhttps://www.microsoft.com/en-us/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/\r\nPage 5 of 10\n\nFigure 5. An Excel document used by the attackers, prompting the user to enable malicious code.\r\nHands-on-keyboard control for selective data exfiltration\r\nThe enabled macro on the Excel document creates a new folder named with a random string of characters in the\r\n%programdata% folder. It then copies certutil.exe, a known living-off-the-land binary (LOLBin), from the System\r\nfolder and places the copy of certutil.exe into the newly created folder as a means of defense evasion. Finally, the\r\ncopy of certutil.exe is renamed to match the random string of characters in the folder name.\r\nThe macro then uses the newly renamed copy of certutil.exe to connect to the attacker infrastructure and download\r\nBazaLoader. This downloaded payload is a malicious dynamic link library (.dll) and is loaded by rundll32.exe.\r\nRundll32 then injects a legitimate MsEdge.exe process to connect to a BazaLoader command-and-control (C2) and\r\nestablish persistence by using Edge to create a .lnk (shortcut) file to the payload in the Startup folder. The injected\r\nMsEdge.exe is also used for reconnaissance, collecting system and user information, domains on the networks,\r\nand domain trusts.\r\nThe rundll32.exe process retrieves a Cobalt Strike beacon that enables the attacker to have hands-on-keyboard\r\ncontrol of the device. Now with direct access, the attacker performs reconnaissance on the network and searches\r\nhttps://www.microsoft.com/en-us/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/\r\nPage 6 of 10\n\nfor local administrators and high-privilege domain administrator account information.\r\nThe attacker also conducts further extensive reconnaissance using ADFind, a free command-line tool designed for\r\nActive Directory discovery. Often, information gathered from this reconnaissance is saved to a text file and\r\nviewed by the attacker using the “Type” command in the command prompt.\r\nOnce the attacker has established a list of target devices on the network, they use Cobalt Strike’s custom, built-in\r\nPsExec functionality to move laterally to the targets. Each device the attacker lands on establishes a connection to\r\nthe Cobalt Strike C2 server. Additionally, certain devices are used for additional reconnaissance by downloading\r\nopen-source tools designed to steal browser passwords. In some instances, the attackers also used WMIC to move\r\nlaterally to high-value targets, such as Domain Controllers.\r\nWhen the attacker lands on a selected high-value target, they use 7-Zip to archive intellectual property for\r\nexfiltration. The archived files are named after the type of data they contain, such as IT information, or\r\ninformation about security operations, finance and budgeting, and details specific to each target’s industry. The\r\nattacker then uses a renamed version of the open-source tool, RClone, to exfiltrate these archives to an attacker-controlled domain.\r\nFigure 6 Post-compromise activity on the target, including exfiltration and ransomware.\r\nFinally, on domain controller devices, the attacker uses NTDSUtil.exe—a legitimate tool typically used to create\r\nand maintain the Active Directory database—to create a copy of the NTDS.dit Active Directory database, in either\r\nthe %programdata% or %temp% folders, for subsequent exfiltration. NTDS.dit contains user information and\r\npassword hashes for all users in the domain.\r\nIn some instances, data exfiltration appeared to be the primary objective of the attack, which would typically be in\r\npreparation for future activity. However, in other instances, the attacker deploys ransomware after conducting the\r\npreviously described activity. In those cases where ransomware was dropped, the attacker used high-privilege\r\ncompromised accounts in conjunction with Cobalt Strike’s PsExec functionality to drop a Ryuk or Conti\r\nransomware payload onto network devices.\r\nDetecting BazaCall through cross-domain visibility and threat intelligence\r\nhttps://www.microsoft.com/en-us/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/\r\nPage 7 of 10\n\nWhile many cybersecurity threats rely on automated, drive-by tactics (for example, exploiting system\r\nvulnerabilities to drop malware or compromising legitimate websites for a watering hole attack) or develop\r\nadvanced detection evasion methods, attackers continue to find success in social engineering and human\r\ninteraction in attacks. The BazaCall campaign replaces links and attachments with phone numbers in the emails it\r\nsends out, posing challenges in detection, especially by traditional antispam and anti-phishing solutions that check\r\nfor those malicious indicators.\r\nThe lack of typical malicious elements in BazaCall’s emails and the speed with which their operators can conduct\r\nan attack exemplify the increasingly complex and evasive threats that organizations face today. Microsoft 365\r\nDefender provides the cross-domain visibility and coordinated defense to protect customers against such threats.\r\nThe ability to correlate events across endpoints and emails is crucial in the case of BazaCall, given its distinct\r\ncharacteristics. Microsoft Defender for Endpoint detects implants such as BazaLoader and Cobalt Strike, payloads\r\nsuch as Conti and Ryuk, and subsequent attacker behavior. These endpoint signals are correlated with email threat\r\ndata, informing Microsoft Defender for Office 365 to block the BazaCall emails, even if these emails don’t have\r\nthe typical malicious artifacts.\r\nMicrosoft 365 Defender further enables organizations to defend against this threat through rich investigations\r\ntools like advanced hunting, allowing security teams to locate related or similar activities and seamlessly resolve\r\nthem.\r\nJustin Carroll and Emily Hacker\r\nMicrosoft 365 Defender Threat Intelligence Team\r\nAdvanced hunting queries\r\nThe following Advanced Hunting Queries are accurate as of the time of publish of this blog. For the most up-to-date queries, please visit aka.ms/BazaCall.\r\nTo locate possible exploitation activity, run the following queries in the Microsoft 365 Defender portal.\r\nBazaCall emails\r\nTo look for malicious emails matching the patterns of the BazaCall campaign, run this query.\r\nEmailEvents\r\n| where Subject matches regex @\"[A-Z]{1,3}\\d{9,15}\"\r\nand Subject has_any('trial', 'free', 'demo', 'membership', 'premium', 'gold',\r\n'notification', 'notice', 'claim', 'order', 'license', 'licenses')\r\nBazaCall Excel file delivery\r\nTo look for signs of web file delivery behavior matching the patterns of the BazaCall campaign, run this query.\r\nDeviceFileEvents\r\nhttps://www.microsoft.com/en-us/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/\r\nPage 8 of 10\n\n| where FileOriginUrl has \"/cancel.php\" and FileOriginReferrerUrl has \"/account\"\r\nor FileOriginUrl has \"/download.php\" and FileOriginReferrerUrl has \"/case\"\r\nBazaCall Excel file execution\r\nTo surface the execution of malicious Excel files associated with BazaCall, run this query.\r\nDeviceProcessEvents\r\n| where InitiatingProcessFileName =~ \"excel.exe\"\r\nand ProcessCommandLine has_all('mkdir', '\u0026\u0026 copy', 'certutil.exe')\r\nBazaCall Excel file download domain pattern\r\nTo look for malicious Excel files downloaded from .XYZ domains, run this query.\r\nDeviceNetworkEvents\r\n| where RemoteUrl matches regex @\".{14}\\.xyz/config\\.php\"\r\nBazaCall dropping payload via certutil\r\nTo look for the copy of certutil.exe that was used to download the BazaLoader payload, run this query.\r\nDeviceFileEvents\r\n| where InitiatingProcessFileName !~ \"certutil.exe\"\r\n| where InitiatingProcessFileName !~ \"cmd.exe\"\r\n| where InitiatingProcessCommandLine has_all(\"-urlcache\", \"split\", \"http\")\r\nNTDS theft\r\nTo look for theft of Active Directory in paths used by this threat, run this query.\r\nDeviceProcessEvents\r\n| where FileName =~ \"ntdsutil.exe\"\r\n| where ProcessCommandLine has_any(\"full\", \"fu\")\r\n| where ProcessCommandLine has_any (\"temp\", \"perflogs\", \"programdata\")\r\n// Exclusion\r\n| where ProcessCommandLine !contains @\"Backup\"\r\nRenamed Rclone data exfiltration\r\nhttps://www.microsoft.com/en-us/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/\r\nPage 9 of 10\n\nTo look for data exfiltration using renamed Rclone, run this query.\r\nDeviceProcessEvents\r\n| where ProcessVersionInfoProductName has \"rclone\" and not(FileName has \"rclone\")\r\nRunDLL Suspicious Network Connections\r\nTo look for RunDLL making suspicious network connections, run this query.\r\nDeviceNetworkEvents\r\n| where InitiatingProcessFileName =~ 'rundll32.exe' and InitiatingProcessCommandLine has\r\n\",GlobalOut\"\r\nLearn how your organization can stop attacks through automated, cross-domain security and built-in AI with\r\nMicrosoft Defender 365.\r\nSource: https://www.microsoft.com/en-us/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/\r\nhttps://www.microsoft.com/en-us/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.microsoft.com/en-us/security/blog/2021/07/29/bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware/"
	],
	"report_names": [
		"bazacall-phony-call-centers-lead-to-exfiltration-and-ransomware"
	],
	"threat_actors": [
		{
			"id": "d90307b6-14a9-4d0b-9156-89e453d6eb13",
			"created_at": "2022-10-25T16:07:23.773944Z",
			"updated_at": "2026-04-10T02:00:04.746188Z",
			"deleted_at": null,
			"main_name": "Lead",
			"aliases": [
				"Casper",
				"TG-3279"
			],
			"source_name": "ETDA:Lead",
			"tools": [
				"Agentemis",
				"BleDoor",
				"Cobalt Strike",
				"CobaltStrike",
				"RbDoor",
				"RibDoor",
				"Winnti",
				"cobeacon"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "d1f8bd4e-bcd4-4101-9158-6158f1806b38",
			"created_at": "2023-01-06T13:46:39.487358Z",
			"updated_at": "2026-04-10T02:00:03.344509Z",
			"deleted_at": null,
			"main_name": "BazarCall",
			"aliases": [
				"BazzarCall",
				"BazaCall"
			],
			"source_name": "MISPGALAXY:BazarCall",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434109,
	"ts_updated_at": 1775826735,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/bd5bd74d8047b99a547699fa3fdfc49639d4c358.pdf",
		"text": "https://archive.orkl.eu/bd5bd74d8047b99a547699fa3fdfc49639d4c358.txt",
		"img": "https://archive.orkl.eu/bd5bd74d8047b99a547699fa3fdfc49639d4c358.jpg"
	}
}