Recognize and prevent social engineering attacks on Microsoft Teams

In October 2024, cybersecurity experts uncovered a troubling shift in the tactics of the notorious Black Basta ransomware group, known for its aggressive cyberattacks. This time, instead of relying solely on traditional methods like phishing emails, Black Basta has turned to Microsoft Teams as a potent weapon for social engineering. Read more to learn about the evolving cyberattack strategy, how to recognize it, and provide practical prevention recommendations to protect your organization.

The new cyberattack tactic

For years, email-based social engineering attacks have been the primary method used by cybercriminals to gain access to sensitive information or infiltrate networks. However, Black Basta has recently upped the ante by exploiting Microsoft Teams, a trusted communication tool used by millions of businesses globally. This shift allows attackers to bypass traditional email security tools and prey on employees who are familiar and comfortable with the platform.

Black Basta’s tactic begins with a flood of non-malicious spam emails. These emails often appear harmless at first, but their purpose is to overwhelm users' inboxes and trick them into interacting with malicious content. Once the attackers have garnered the victim's attention, they shift to Teams, where they impersonate IT help desk personnel or colleagues. By posing as trusted figures within the organization, attackers convince users to install remote access tools, such as Quick Assist or AnyDesk, which allows them to infiltrate the network.

Once the attackers gain remote access, they deploy malware for persistent control, enabling them to move laterally within the network, steal sensitive data, and potentially execute a full ransomware attack. With this method, Black Basta has successfully compromised organizations across finance, technology, and government contracting sectors, resulting in financial losses exceeding $15 million, according to ReliaQuest, a leading threat research firm.

Using Paubox

Using HIPAA compliant email solutions like Paubox Email Suite can significantly bolster cybersecurity in the case of social engineering attacks, such as those carried out by Black Basta. Paubox Email Suite ensures that all emails are encrypted, making it far more difficult for attackers to intercept or manipulate email communications. By securing email content, Paubox eliminates one common entry point for cybercriminals using phishing or impersonation tactics to steal sensitive information. Additionally, Paubox integrates seamlessly with existing email platforms, offering a user-friendly solution without the need for complex encryption procedures. This added layer of protection helps prevent attackers from exploiting email as a vector to trick employees into clicking malicious links or disclosing confidential data, thus reducing the risk of a successful attack and safeguarding sensitive information from unauthorized access.

How to recognize this attack

Given the reliance on Microsoft Teams, recognizing this type of social engineering attack can be tricky. However, there are key signs to look out for:

• Unexpected Teams messages: Be wary of unsolicited messages, especially from unfamiliar accounts or contacts, even if they seem to come from internal sources. Attackers often spoof legitimate IT or management accounts to gain trust.
• Requests for remote assistance: If you receive a sudden request to install remote access software like Quick Assist or AnyDesk, verify the request through official channels before taking any action. IT departments will usually provide clear instructions and never pressure you for immediate action.
• Urgent requests or threats: Cybercriminals often create a sense of urgency to pressure victims into acting quickly. If the message sounds too urgent, offers a reward, or threatens negative consequences, take a step back and verify the request through alternative means.
• Unusual behavior: If the message or communication feels off, whether it’s in tone, urgency, or how the request is made, don’t hesitate to question its authenticity.

Prevention recommendations

Organizations must stay one step ahead of cybercriminals by implementing proactive strategies to defend against social engineering attacks via Microsoft Teams. Here are key prevention measures:

Disable external communications in Teams

One of the most effective ways to mitigate the risk of social engineering attacks is to limit external communications within Teams. Allow messages only from trusted domains and block 

external accounts from sending messages to internal users.

Enable logging and alerts for suspicious activity

Set up alerts for unusual activities within Teams, such as unfamiliar accounts sending messages or unexpected Teams ChatCreated events. Monitoring these activities will allow security teams to act quickly before any damage is done.

Strengthen anti-spam policies

While email security tools are crucial, employees must also be educated about identifying spam and phishing attempts. Strengthen anti-spam filters, and implement measures to flag suspicious emails or messages. It’s also important to regularly review and update these policies to adapt to new threats.

Implement multi-factor authentication (MFA)

Ensure that all employees use MFA for their accounts. MFA adds an extra layer of security, making it harder for attackers to gain access even if they have compromised login credentials.

Conduct regular phishing simulations

Testing your staff with simulated phishing and social engineering attacks is an excellent way to identify vulnerabilities and ensure that employees are prepared for the real thing. Regular testing helps reinforce training and assess the effectiveness of your defense measures.

FAQs

What is social engineering?

Social engineering is a manipulation technique used by cybercriminals to deceive individuals into revealing confidential information, performing actions, or granting unauthorized access to systems by exploiting human psychology and trust.

How do social engineering attacks work?

Social engineering attacks exploit human behavior and emotions to gain access to sensitive information or systems. Attackers typically impersonate trusted figures or create fabricated scenarios to trick victims into divulging personal information, clicking on malicious links, or installing harmful software.

Why is social engineering so effective?

Social engineering is effective because it exploits natural human instincts, such as trust, fear, or curiosity, making it easier for attackers to bypass security protocols. People often let their guard down when they receive requests from familiar sources or when they’re under pressure to act quickly.