Summary:
Researchers at ReliaQuest have uncovered a new social engineering technique employed by Black Basta ransomware actors to gain an initial foothold into victim environments. Previously, these actors would overwhelm users with email spam, prompting recipients to create a legitimate help-desk ticket to resolve the issue. From here, Black Basta operators would then contact the end user, posing as the help desk to respond to the ticket. In the latest intrusions observed by ReliaQuest, Black Basta actors have started to use Microsoft Teams chat messages to communicate with targeted users. In this case, targeted users are added to a Microsoft Teams chat with external users, which are operated from Microsoft Entra ID tenants created to pose as support, admin, or help-desk staff. These tenants further have their profiles set to a display name designed to trick the targeted user into thinking they are communicating with a help-desk account. According to researchers, targeted users are sent QR codes within these chats, masquerading as legitimately branded company QR code images. While it's unclear what the QR codes are specifically used for, researchers suspect that the end goal is to lead the end user to download remote monitoring and management tools like Anydesk and ultimately ransomware.

Security Officer Comments:
The use of Microsoft Teams and QR codes represents a strategic approach employed by Black Basta actors to circumvent traditional email security measures. By exploiting Microsoft Teams, an application widely used for organizational communication, these actors aim to blend seamlessly with legitimate network traffic. Additionally, QR codes have emerged as a favored method for distributing malicious payloads. Most security tools that scan for text or hyperlinks are not capable of analyzing the embedded data within QR codes, incentivizing these actors to disseminate them via email and platforms like Microsoft Teams as a means to evade detection.

Suggested Corrections:
Recommendations from ReliaQuest: