Skip to content

Beware of IT Support Chat Requests in Microsoft Teams

One of our responsibilities as an IT Service Provider is to keep our clients informed about the latest attacks. New threats emerge every day bypassing traditional email-based security defenses and we are constantly working to evolve our security practices and alert clients of new threats as they emerge. One tricky social engineering tactic re-surfacing uses Microsoft Teams to impersonate corporate IT support to assist employees with email spam issues. In this blog post, we will outline what it is and how you can prevent your employees from falling for it.  

How it Works 

The attack typically begins with Black Basta, a group known for its adaptive social engineering tactics using external Teams accounts configured under names resembling legitimate help desks, such as “SupportServiceAdmin” or “CybersecurityAdmin” to initiate chat messages impersonating IT support. They often flood inboxes with junk mail to create a sense of urgency. Their objective is to establish rapport and persuade targets to install remote access tools like AnyDesk or enable screen sharing via Windows Quick Assist.  

Once connected their ultimate goal is to deploy ransomware, lock down files and demand ransom payments. The group has also reportedly used QR codes in some Teams chats. 

Prevention 

This transition to Microsoft Teams highlights Black Basta’s ability to quickly adapt to security measures. Given the widespread use of Microsoft Teams in corporate environments, it makes for a lucrative tool to exploit employee’s trust, sidestepping external security protocols.  

In response to this threat, Microsoft stated in May 2024: 

“Microsoft is investigating the use of Quick Assist in these attacks and is working on improving the transparency and trust between helpers and sharers, and incorporating warning messages in Quick Assist to alert users about possible tech support scams... Microsoft has taken action to mitigate this by suspending identified accounts and tenants associated with inauthentic behavior.” 

Current recommendations are as follows: 

  • Security Awareness Training: Exercise vigilance when responding to any unusual requests. Remember to only use established communication channels when in need of IT support 
  • External communication on Teams should be limited to known domains
  • Proactive monitoring of unusual chat events 
  • Deployment of advanced threat-hunting strategies
  • Managed Detection & Response for Microsoft 365

This threat reinforces the ever-evolving landscape of cyber attacks and the ongoing need for continuous security hardening. Not sure if your business is prepared to prevent attacks like these? Reach out to us to learn about our Managed Security Services. 

 

We are local!

WE HAVE PRESENCE IN VICTORIA, VANCOUVER, PRINCE GEORGE, CALGARY, AND TORONTO.