{
	"id": "3cbdcfd8-9b2d-433f-b3d8-8783ca6f9589",
	"created_at": "2026-04-06T00:21:46.434468Z",
	"updated_at": "2026-04-10T03:20:20.778337Z",
	"deleted_at": null,
	"sha1_hash": "dd86612e87e7413ae7e537afcf44d4c9283cc5d4",
	"title": "ReliaQuest Uncovers New Black Basta Social Engineering Technique",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 87781,
	"plain_text": "ReliaQuest Uncovers New Black Basta Social Engineering\r\nTechnique\r\nBy ReliaQuest Threat Research Team 25 October 2024\r\nPublished: 2024-10-25 · Archived: 2026-04-05 13:29:09 UTC\r\nUpdated December 12, 2024\r\nIn late November 2024, ReliaQuest responded to several incidents related to Black Basta activity that resulted in\r\nthe identification of new TTPs. Initially, users were targeted by a flood of emails—with one user receiving as\r\nmany as 326—in activity that was reminiscent of previous Black Basta activity. Following these emails, additional\r\nalerts were raised for the same user, regarding suspicious Microsoft Teams communications that were originating\r\nfrom Russia. The domain linked to the suspicious Microsoft Teams messages were unusual, as they belonged to a\r\nlegitimate organization. This deviation indicated that this organization had been compromised by the Black Basta\r\ngroup, which used its domain to target additional organizations.\r\nThe compromised tenant in this instance followed the same naming convention as previously identified malicious\r\ntenants used in Black Basta activity. Previously, tenants displayed “Help Desk” or “Support Team” as their\r\nusername. In the new incident, the UserId was “technicalsupport,” which also inherited the display name “Help\r\nDesk.”\r\nShortly after the user received the Microsoft Teams message, the threat actor initiated a call attempting to\r\nmanipulate the end user into downloading “filter_update.vbs”. The execution of this script resulted in commands\r\nattempting to enumerate the organization’s domain, create a network connection to IP address 179.60.149[.]194,\r\nand download 3 files: “file.zip”, “script.a3x”, and “Autoit3.exe”. These files resulted in ReliaQuest detections\r\nfiring for file downloads via PowerShell, PowerShell Obfuscated Script and Emergency IoCs. Execution of the\r\nadditional files failed, and as a result the threat was contained.\r\nDetection Opportunities\r\nRemain vigilant for the following Microsoft Teams activity, which is likely to be malicious.\r\nMicrosoft Teams communications originating from Russia, where the UserId or Display Name includes\r\nkeywords like “Help Desk” or “Support Team.”\r\nWhere the UserID’s domain is not included on allow lists.\r\nMicrosoft Teams communication where the event type is MessageSent, the UserId contains\r\n“onmicrosoft.com,” and where there are multiple recipients within a short time.\r\nMicrosoft Teams communication where the event type is MessageCreatedHasLink, UserId contains\r\n“onmicrosoft.com,” or sourcing from Russia in which the MessageURL contains “sharepoint.com.”\r\nhttps://www.reliaquest.com/blog/black-basta-social-engineering-technique-microsoft-teams/\r\nPage 1 of 7\n\nMicrosoft Teams messages where the MessageURL does not contain your organization’s Sharepoint\r\ndetails.\r\nIoCs\r\n1helpyou.onmicrosoft[.]com\r\nAssistingyou.onmicrosoft[.]com\r\nSpamshieldmanager.onmicrosoft[.]com\r\nSecurityFusion.onmicrosoft[.]com\r\nBrandonsupport.onmicrosoft[.]com\r\nSupporthelper.onmicrosoft[.]com\r\nServicedeskadmin.onmicrosoft[.]com\r\nRadolud.onmicrosoft[.]com\r\nHegss.onmicrosoft[.]com\r\nAsparren.onmicrosoft[.]com\r\nFreeuk566.onmicrosoft[.]com\r\nBbacons.onmicrosoft[.]com\r\nDbvy.onmicrosoft[.]com\r\nEditor’s note: The following was first published on October 25, 2024.\r\nWhat Happened?\r\nIn October 2024, ReliaQuest responded to an alert for Impacket activity. During the investigation, we discovered a\r\nwider trend: a campaign of escalated social engineering tactics originally associated with the ransomware group\r\n“Black Basta.”\r\nTheir previous approach involved overwhelming users with email spam, prompting them to create a legitimate\r\nhelp-desk ticket to resolve the issue. The attacker would then contact the end user, posing as the help desk, to\r\nrespond to the ticket.\r\nIn more recent incidents, attackers have advanced their tactics by using Microsoft Teams chat messages to\r\ncommunicate with targeted users and incorporating malicious QR codes to facilitate initial access.\r\nhttps://www.reliaquest.com/blog/black-basta-social-engineering-technique-microsoft-teams/\r\nPage 2 of 7\n\nThe underlying motivation is likely to lay the groundwork for follow-up social engineering techniques, convince\r\nusers to download remote monitoring and management (RMM) tools, and gain initial access to the targeted\r\nenvironment. Ultimately, the attackers’ end goal in these incidents is almost certainly the deployment of\r\nransomware.\r\nThis rapidly escalating campaign poses a significant threat to organizations. The threat group is targeting many of\r\nour customers across diverse sectors and geographies with alarming intensity. The sheer volume of activity is also\r\nunique; in one incident alone, we observed approximately 1,000 emails bombarding a single user within just 50\r\nminutes. Due to commonalities in domain creation and Cobalt Strike configurations, we attribute this activity to\r\nBlack Basta with high confidence.\r\nTactic Shift—Late October 2024\r\nIn incidents during late October 2024, we observed the following changes in Black Basta’s tactics, techniques, and\r\nprocedures (TTPs):\r\nUse of Microsoft Teams Chats\r\n1. After mass email spam events, the targeted users were added to Microsoft Teams chats with external users.\r\nThese external users operated from Entra ID tenants they created to pose as support, admin, or help-desk\r\nstaff.\r\n2. The following tenants were observed with the following naming convention “*.onmicrosoft.com”.\r\nExamples we have seen so far include:\r\nsecurityadminhelper.onmicrosoft[.]com\r\nsupportserviceadmin.onmicrosoft[.]com\r\nsupportadministrator.onmicrosoft[.]com\r\ncybersecurityadmin.onmicrosoft[.]com\r\n1. These external users set their profiles to a “DisplayName” designed to make the targeted user think they\r\nwere communicating with a help-desk account. In almost all instances we’ve observed, the display name\r\nincluded the string “Help Desk,” often surrounded by whitespace characters, which is likely to center the\r\nname within the chat. We also observed that, typically, targeted users were added to a “OneOnOne” chat.\r\nWhat you can do: When hunting within your own environment for similar activity, we recommend searching for\r\nTeams display names that feature strings of this nature, rather than just searching for direct matches.\r\n1. Upon investigation, we found that the actions of the external users generally originated from Russia, with\r\nthe time zone data logged by Teams regularly featuring Moscow.\r\nRMM Shift/QR Codes\r\nhttps://www.reliaquest.com/blog/black-basta-social-engineering-technique-microsoft-teams/\r\nPage 3 of 7\n\nIn recent incidents, we have also observed the threat actors enticing targeted users to use QuickAssist for the\r\n“support” sessions, not just AnyDesk. Additionally, targeted users were sent QR codes within these chats,\r\nmasquerading as legitimately branded company QR code images.\r\n1. Threat actors are using domains like the following for this QR-code phishing activity:\r\nqr-s1[.]com\r\nqr-s2[.]com\r\nqr-s3[.]com\r\nqr-s4[.]com\r\n1. In each attack, the subdomains of these domains are tailored to match the targeted organization. For\r\nexample: companyname.qr-s1[.]com.\r\n2. We’ve also observed the creation of more generic subdomains, likely used to target non-specific\r\nindividuals, rather than specific organizations. An example of a less specific subdomain is: l1ve.qr-s1[.]com (note the use of “1” in place of “l”).\r\n3. This pattern follows our observations from previous Black Basta campaigns, where the group used domain\r\nnaming conventions such as, upd7, upd7a, upd10, upd10a.\r\n4. The exact start date of the threat actor’s use of QR codes is unclear. However, we tracked the domain\r\ndetails to find older domains created in early October that follow the same naming convention. This\r\nsuggests they were almost certainly created by the same threat actor with the intention of using QR codes.\r\nThis indicates that the threat actor likely started using or was planning to use this approach since early\r\nOctober.\r\n5. It is still unclear what the QR codes are specifically being used for. It is realistically possible that the codes\r\ndirect users to further malicious infrastructure.\r\nBlack Basta Email Spam Campaign\r\nWe have observed several advertisements on the dark web offering email spam services, which are commonly sold\r\nfor approximately $10–500. Owing to the tactic’s simplicity and low cost, even the least technically sophisticated\r\nactors can easily utilize these services.\r\nAfter spamming end users with emails, attackers followed up with a voice-over-IP phishing (vishing) phone call.\r\nDuring this call, they would attempt to convince the user to download an RMM tool and allow the attacker access\r\nto the user’s host.Notably, two users were contacted via Teams chat messages by external emails from the domains\r\nsupportadminstrator.onmicrosoft[.]com and supportserviceadmin.onmicrosoft[.]com. The attacker posed as a\r\nhelp-desk member and convinced one of the users to download AnyDesk under the guise of stopping the email\r\nspam.\r\nhttps://www.reliaquest.com/blog/black-basta-social-engineering-technique-microsoft-teams/\r\nPage 4 of 7\n\nUsing AnyDesk, the attacker then accessed the users’ computers and installed malicious files. These files were\r\nnamed to appear as anti-spam programs, such as “AntispamAccount.exe,” “AntispamUpdate.exe,” and\r\n“AntispamConnectUS.exe.” The attacker downloaded the files within five minutes of running AnyDesk. The file\r\n“AntispamAccount.exe” accessed the Local Security Authority Service (LSASS), indicating it was used to collect\r\nuser credentials on the compromised host. In addition, file “AntispamConnectUS.exe” generated network traffic to\r\nhundreds of other internal hosts, likely to discover additional resources on the network.\r\nSuccessful execution of these files led to Cobalt Strike beaconing to domains such as companymartec[.]com and\r\nhessetechnology[.]com. The threat actor likely created these domains to masquerade as legitimate organizations\r\nwithin specific industries. Following this, the Impacket module “secretsdump.py” was run, likely to capture\r\nKerberos password hashes for lateral movement.\r\nThe activity was identified and quickly contained and remediated at this stage in the attack, preventing the attack\r\nfrom progressing further in the kill chain.\r\nEmail and Teams Spam: What They Have in Common\r\nObserving the indicators associated with the Teams and email spam, we can identify the following insights.\r\nCommonality in Spam Emails:\r\nThe domains used are primarily old and related to e-commerce, finance, or service offerings.\r\nThe email addresses are typically from automated systems or services that send confirmations or\r\nnotifications (e.g., noreply@domain[.]com, subscription@domain[.]com, support@domain[.]com,\r\nhelp@domain[.]com, marketing@domain[.]com).\r\nCommon Email Subjects:\r\nThe subject lines of these emails are often similar and include:\r\n“Your account has been created”\r\n“Welcome to XYZ”\r\n“Thank you for registering”\r\n“Please verify your email”\r\n“Special offer for you”\r\nHow ReliaQuest Is Countering This Threat\r\nWe’ve been actively monitoring the evolution of Black Basta’s TTPs. In particular, we are watching closely for\r\nexternal chat events from unusual locations, especially those with display names like “Help Desk” from\r\nsuspicious external tenants.\r\nhttps://www.reliaquest.com/blog/black-basta-social-engineering-technique-microsoft-teams/\r\nPage 5 of 7\n\nWe are also continuously tracking the creation of Cobalt Strike domains and adding them to our threat feeds, and\r\nmonitoring the creation of subdomains associated with QR code phishing. As these subdomains are tailored to\r\nmatch targeted organizations, this gives us a near-real-time view of which organizations and sectors are being\r\ntargeted.\r\nRecommendations\r\nTo safeguard your networks from these threats, we recommend blocking identified malicious domains and\r\nsubdomains.\r\nTo mitigate against tactics involving Microsoft Teams and QR code phishing, organizations should disable\r\ncommunication from external users within Teams to prevent unwanted chat messages from reaching end\r\nusers.\r\nWhen communication with external users is necessary, specific trusted domains can be allowlisted.\r\nAdditionally, setting up aggressive anti-spam policies within email security tools can prevent spam from\r\ninundating end users’ inboxes.\r\nEnsuring that logging is enabled for Teams, particularly the ChatCreated event, will facilitate detecting and\r\ninvestigating such activities.\r\nMicrosoft Teams accounts impersonating IT help desks typically have their names set to “Help Desk.” This\r\nstring is often surrounded by whitespace characters, likely to center the name within chats. When searching\r\nfor these accounts, organizations should search for “contains,” rather than a direct match.\r\nThe post-exploitation activities linked to these tactics, such as Impacket abuse and the deployment of\r\nCobalt Strike beacons, are neither new nor unexpected. Existing detection rules and security tools are well-prepared to address these threats, enabling organizations to respond effectively to these tactics.\r\nConclusion\r\nThis campaign is still evolving, with Black Basta demonstrating their ability to rapidly adapt their TTPs, likely to\r\nthwart defenders and buy themselves more time in networks to further their attacks. While their initial access\r\nmethods have changed, their post-exploitation activities are likely to remain consistent with previously observed\r\npatterns, which are covered by existing security tools and detections rules.\r\nReliaQuest provides a comprehensive suite of detection rules designed to identify Black Basta activity, enhancing\r\ncustomer resilience against the threat group’s evolving TTPs.\r\nThere has been a significant rise in ransomware actors using social engineering techniques to gain unauthorized\r\naccess to sensitive systems and data. Many of these techniques likely leverage native-English speakers, allowing\r\nfor more convincing and sophisticated phishing messages, therefore significantly raising the likelihood of\r\nsuccessfully deceiving targets.\r\nTo defend against these threats, organizations should ensure employees remain vigilant against current social\r\nengineering tactics by providing ongoing training and awareness programs that highlight the latest attacker threats\r\nhttps://www.reliaquest.com/blog/black-basta-social-engineering-technique-microsoft-teams/\r\nPage 6 of 7\n\nand techniques. This vigilance should be paired with a robust defense-in-depth strategy, incorporating multiple\r\nlayers of security measures such as firewalls, intrusion detection systems, and regular security audits. This\r\napproach will help identify and neutralize potential suspicious activity before it can cause any harm. By\r\ncombining informed and alert employees with comprehensive security protocols, organizations can significantly\r\nreduce the risk of successful social engineering attacks and safeguard their critical assets.\r\nSource: https://www.reliaquest.com/blog/black-basta-social-engineering-technique-microsoft-teams/\r\nhttps://www.reliaquest.com/blog/black-basta-social-engineering-technique-microsoft-teams/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.reliaquest.com/blog/black-basta-social-engineering-technique-microsoft-teams/"
	],
	"report_names": [
		"black-basta-social-engineering-technique-microsoft-teams"
	],
	"threat_actors": [],
	"ts_created_at": 1775434906,
	"ts_updated_at": 1775791220,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/dd86612e87e7413ae7e537afcf44d4c9283cc5d4.pdf",
		"text": "https://archive.orkl.eu/dd86612e87e7413ae7e537afcf44d4c9283cc5d4.txt",
		"img": "https://archive.orkl.eu/dd86612e87e7413ae7e537afcf44d4c9283cc5d4.jpg"
	}
}