Microsoft Support Scam Uses Proven Social Engineering Technique Against Organizations

April 3, 2025

The Black Basta ransomware group is targeting businesses by impersonating Microsoft support.

Black Basta uses social engineering tactics, starting with a flood of spam emails. They then send malicious messages via Microsoft Teams, posing as IT support staff using the .onmicrosoft.com domain.

The attackers send legitimate looking but harmful links or QR codes in Teams chats. These links can trick victims into installing remote-access software like AnyDesk or QuickAssist, allowing attackers to gain control of their computers.

The ultimate goal is to breach company systems and lock up internal data for a ransom. This method has been a common strategy for cybercriminals for years.

The article advises changing Microsoft Teams security settings to disable messages or calls from unknown users, ensuring email spam filters are properly set up, and being cautious of unsolicited support contacts.

https://www.pcmag.com/news/ransomware-group-impersonates-microsoft-support-to-breach-businesses and https://www.uctoday.com/unified-communications/black-basta-ransomware-impersonates-teams-it-support-attacks-100s-of-businesses/

Commentary

According to the source, Black Basta has been active since at least 2022, attacking more than 329 organizations globally and earning an estimated $107 million through ransomware attacks.

At the heart of many social engineering campaigns is the purpose of creating panic and then swooping in to help you solve the problem created by the criminals. In this case, Black Basta flood inboxes with spam and then reaches out impersonating Microsoft support claiming to be able to solve the problem while placing ransomware on your system. 

First, never panic.

Second, always question unexpected messages (even those claiming to help).

Third, investigate the problem online. It is likely you are not the first and you will find a thread describing the scam.

Fourth, always reach out independently to a software provider. Never use the contact information from spam.

The real Microsoft domain for official communications is typically microsoft.com. For example, email addresses and links from Microsoft would look like support@microsoft.com or https://www.microsoft.com.

In contrast, the Black Basta ransomware group has been using fake domains that mimic Microsoft's format but are not legitimate. These fake domains often include .onmicrosoft.com but with misleading prefixes. Some examples of these fake domains are:

  • 1helpyou.onmicrosoft.com
  • Assistingyou.onmicrosoft.com
  • Spamshieldmanager.onmicrosoft.com
  • Supporthelper.onmicrosoft.com

The final takeaway is stay vigilant and verify the authenticity of any communication that claims to be from Microsoft, especially if it includes unusual requests or links.

Additional sources: https://www.reliaquest.com/blog/black-basta-social-engineering-technique-microsoft-teams/


 

Finally, your opinion is important to us. Please complete the opinion survey:

Product

Articles

Are Employers Too Lenient When Enforcing The Rules? You Make The Call

A new survey claims that an overwhelming number of younger employees are okay with breaking the rules. Is that okay with you? We want to know.

Data Preservation Best Practices Must Be Learned And Earned

Employee weak security practices put workplaces at risk. How can employers share some of the burden to improve data security?

Proof Of Harm Still Required After A Patient Data Breach

A behavioral health group suffers a data breach and a settlement is negotiated. We examine the proof required before a settlement candidate can collect.

The Threat Of Sextortion Can Last A Lifetime

A Texas physician is charged with sexual exploitation. We examine the fallout from that matter and life-time harms from sextortion.

Do Work Friendships Boost Morale And Retention? You Make The Call

A new survey claims that workplace friendships are extremely important to employee relations. We want to know what you think.