Ever had a "tech support" call from someone who somehow knows exactly what’s wrong with your computer before you even tell them? Yeah, that’s a red flag. Scammers are getting smarter, and now, they’re using Microsoft Teams to trick employees into giving them remote access to their computers—and it’s leading straight to ransomware attacks.
A new warning from cybersecurity researchers at Trend Micro reveals that cybercriminals are now pretending to be IT support staff, flooding inboxes with emails before contacting victims via Microsoft Teams or phone calls. Their goal? To convince users to grant remote access, ultimately deploying ransomware from notorious groups like Black Basta and Cactus.
How It Works
- Email Flooding: Victims first receive an overwhelming number of emails, creating confusion and making them more likely to accept help.
- Fake IT Support Contact: Shortly after, a scammer reaches out via Microsoft Teams or a phone call, pretending to be from the IT department.
- Remote Access Scam: The scammer convinces the target to use a legitimate Windows feature called Quick Assist, which allows remote access for troubleshooting.
- Hidden Malware Installation: Once inside the system, attackers drop seemingly harmless files that eventually unpack into a backdoor malware called BackConnect.
- Ransomware Deployment: With full control of the victim’s computer, the scammers encrypt files and demand a ransom to unlock them.
Who’s Targeted?
This scam is primarily hitting organizations in North America, with the United States being the most affected. Industries at high risk include:
- Manufacturing
- Finance
- Investment Consulting
- Real Estate
Employees who frequently use Microsoft Teams and other collaboration tools are particularly vulnerable.
Real-Life Example
A recent Trend Micro report uncovered that the Black Basta gang, which made over $100 million from victims in 2023, has been using this technique since at least October 2024. Some of their members are believed to have migrated to another ransomware group, Cactus, as similar tactics were observed in recent attacks. One of the main clues? Leaked internal chats from Black Basta showing they actively try to bypass security tools like Trend Micro’s defenses.
Why You Should Care
This isn’t just a phishing scam—it’s a direct attack on businesses and individuals that could result in severe financial and data losses. With ransomware groups constantly evolving their tactics, unsuspecting employees are at risk of losing sensitive data, suffering financial damages, and even facing business disruptions due to locked systems.
How to Protect Yourself
- Verify IT Requests: If someone contacts you claiming to be from IT support, confirm their identity through official channels before granting access.
- Avoid Clicking on Suspicious Links: Do not interact with unexpected emails, especially if they are part of a sudden email flood.
- Use Multi-Factor Authentication (MFA): This adds an extra layer of security to prevent unauthorized access.
- Keep Your Software Updated: Regular updates help protect against vulnerabilities exploited by attackers.
- Report Suspicious Activity: Notify your cybersecurity team immediately if you receive unexpected IT support requests.
Quick Tips & Updates
Quick Tip #1: "Did you know? Attackers often use real IT tools like Quick Assist to trick you into thinking their access is legitimate. Always double-check!" Quick Tip #2: "Pro Tip: If an IT support call comes out of nowhere and asks for remote access, stop and verify through your official IT helpdesk."
Stay safe, stay informed.
Keyword Definitions:
- Ransomware – A type of malware that encrypts files and demands payment to unlock them.
- Backdoor – A hidden way for attackers to gain access to a system without the user’s knowledge.
- Social Engineering – Manipulating people into revealing confidential information or performing actions.
- Quick Assist – A legitimate Windows tool that allows remote access for IT support.
- Microsoft Teams – A communication platform used by businesses for messaging, calls, and meetings.
- Multi-Factor Authentication (MFA) – An extra security step requiring more than just a password to log in.
To read more, kindly find source article here