Cybersecurity (opens in new tab) experts at Microsoft are warning Office users (opens in new tab) of an elaborate new malware (opens in new tab) campaign that involves fake subscriptions, and fraudulent call centers.
Researchers at Microsoft Security Intelligence (MSI), who are actively tracking the campaign dubbed BazaCall, warn that the eventual goal of the threat actors is to deploy ransomware (opens in new tab).
“We're tracking an active BazaCall malware campaign leading to human-operated attacks and ransomware deployment,” MSI shared (opens in new tab) via its official Twitter account.
- These are the best endpoint protection tools (opens in new tab)
- Here's our choice of the best malware removal (opens in new tab) software on the market
- Check our list of the best firewall apps and services (opens in new tab)
The team added that the campaign gets its name from the BazaLoader malware that it seeks to deploy.
Unraveling the modus operandi of the attack, MSI notes that inspired by a traditional tech-support scam, the campaign first uses emails to lure recipients to ring up a number to cancel their supposed subscription to a particular service.
Engaging with the threat actors on the other side of the fraudulent call center, the unsuspecting user is then instructed to download an Excel (opens in new tab) file in order to cancel the service. MSI says that this Excel file contains a malicious macro that downloads the BazaLoader malware.
MSI says that while Microsoft 365 (opens in new tab) Defender is equipped to identify and defend against such spurious emails, it is the lack of any tell-tale malicious elements in the emails that is currently proving to be a challenge.
Even as they continue to study and understand the ongoing campaign in detail, the MSI team has shared (opens in new tab) advanced hunting queries to help IT and cybersecurity staff to identify signs of the campaign, including the fraudulent emails, in order to nip the attack in the bud itself.
- Protect your devices with these best antivirus software (opens in new tab)