Watch out Microsoft Teams users - hackers are spreading a dangerous new phishing scam, here's what we know

News
By published

Hackers are pretending to be solving a spam problem

Malware attack virus alert , malicious software infection , cyber security awareness training to protect business
(Image credit: Shutterstock)
  • Attackers combine spam floods with fake IT support
  • Victims tricked into Quick Assist sessions deploying A0Backdoor
  • Malware enables full account takeover and remote code execution

Cybercriminals are using a new combination of spam and IT support impersonation to deploy malware and take over corporate devices, experts have warned.

Security researchers at BlueVoyant found cybercriminals would start their attack by flooding their victim’s email inbox with spam. Not long after, they would reach out to that victim, claiming to be an IT support technician tasked with solving the spam problem.

Then, they would ask the victim to start a Quick Assist remote session, through which they temporarily gain access to the target computer. There, under the pretense of “solving the spam problem”, they would deploy a piece of malware called A0Backdoor.

Article continues below

Black Basta is back?

Masquerading as Microsoft Teams components and the CrossDeviceService, the malware is deployed and activated using DLL sideloading.

The result is full account takeover, giving attackers remote code execution (RCE) capabilities. That means they can run arbitrary commands on scripts, download and execute additional malware unabated, steal data freely, move laterally, or deeper, throughout the network. Finally, they can maintain persistence and long-term access or turn the device into a relay for further attacks.

Attribution is relatively difficult, so we can’t know for certain who is behind the attacks, but according to Cybersecurity News, the activity “overlaps with tactics previously tied to Blitz Brigantine”, a group also known as Storm-1811. This is a financially motivated threat actor that Microsoft previously linked to Black Basta.

For those with shorter memory spans, Black Basta used to be one of the most notorious ransomware gangs, but the group effectively ceased operations and went silent in early 2025.

So far, the group hit two victims - a financial institution in Canada and a global healthcare organization. The names have not yet been shared, and the group has not publicly claimed responsibility for the attacks.

Via BleepingComputer

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.