Hackers are increasingly targeting Microsoft Teams users with phishing-style social engineering, using fake calls and screen-sharing requests to try to breach corporate networks. A federal advisory from the Cybersecurity and Infrastructure Security Agency (CISA), issued with U.S. government partners, describes this approach in connection with Black Basta ransomware affiliate tradecraft and broader initial-access patterns. The tactic highlights how threat actors can abuse trusted collaboration platforms as an entry point for extortion campaigns.
How Black Basta Affiliates Weaponize Teams
The attack chain begins with deception, not code. Black Basta affiliates impersonate IT support staff or colleagues, then initiate what appears to be a routine Microsoft Teams call. The goal is to build enough trust that the target agrees to share their screen or grant remote access. Once that door opens, the attacker can deploy malware, harvest credentials, and move laterally through the network toward high-value systems and data.
What makes this approach effective is its simplicity. Employees are conditioned to respond to internal communications on Teams without the same suspicion they might apply to an unexpected email from an unknown sender. A call that looks like it originates from a company IT department triggers cooperation, not caution. Attackers exploit that reflex to bypass technical defenses entirely, relying on human behavior rather than software vulnerabilities.
The federal ransomware advisory on Black Basta specifically identifies remote-access tools such as Quick Assist and AnyDesk as key components of this attack sequence. After convincing a victim to join a call or share their screen, the attacker directs them to install or activate one of these tools. Quick Assist, which ships natively with Windows, is especially dangerous in this context because it does not require any additional download, and employees may already associate it with legitimate IT support sessions.
AnyDesk serves a similar function. If a victim grants access, these tools can give an attacker significant control of the machine, effectively handing over the keys to the network. From there, the affiliate can attempt to escalate privileges, disable security software, and stage ransomware payloads for deployment across connected systems. In some cases, the attacker may also use these sessions to exfiltrate sensitive files before encryption, increasing leverage during ransom negotiations.
Why Collaboration Platforms Are Prime Targets
The shift toward targeting Teams and similar platforms reflects a broader change in how ransomware operators think about initial access. Traditional phishing emails remain common, but security teams have spent years training employees to spot suspicious links and attachments. Collaboration tools like Teams sit in a different mental category for most workers. They feel internal, safe, and verified by default.
That assumption is wrong, and attackers know it. Teams allows external users to initiate contact with employees at other organizations under certain configurations. Even when external access is restricted, compromising a single account within a company gives an attacker the ability to message and call anyone on the internal directory. The platform’s design, built around speed and frictionless communication, works against security when an adversary is behind the keyboard.
The broader concern is that this tactic scales easily. A single compromised account can be used to target dozens of employees across departments, each call appearing to come from a trusted colleague. Unlike email phishing, which often requires customized lures for each target, a Teams-based approach lets attackers reuse the same playbook with minimal adaptation. The social proof of a live voice call adds a layer of urgency and authenticity that static phishing messages cannot match.
For attackers, the economics are favorable. Once they script a convincing IT support scenario and establish a workflow for guiding victims through enabling remote access, they can repeat it rapidly. For defenders, each of those calls represents a separate human decision point where a single mistake can compromise the environment.
The Federal Response and Its Limits
CISA’s advisory, titled “#StopRansomware: Black Basta,” represents the federal government’s most direct public acknowledgment that collaboration-platform abuse has become a standard part of ransomware affiliate playbooks. The advisory was issued with U.S. government partners and maps Black Basta tradecraft to the MITRE ATT&CK framework, giving security teams a structured way to identify and respond to these techniques.
Yet the advisory also highlights a gap. While it describes the tactics, techniques, and procedures affiliates use, it stops short of providing specific incident data, victim counts, or ransom payment figures tied to Teams-based attacks. That absence makes it difficult for organizations to quantify their own risk exposure. A company deciding whether to invest in additional employee training or restrict remote-access tool usage has limited hard data to justify the expenditure.
But federal advisories, no matter how detailed, function as warnings rather than shields. They inform defenders about what to look for without directly preventing the next attack. The gap between awareness and action remains the central challenge for most organizations.
Moreover, the guidance largely assumes that organizations have the resources and staffing to translate high-level threat descriptions into concrete controls. Smaller enterprises, local governments, and healthcare providers often lack dedicated security teams. For them, the practical question is not whether Black Basta is using Teams, but how to change day-to-day workflows so that a single convincing call does not lead to a crisis.
What Most Coverage Gets Wrong
Much of the reporting around Teams phishing treats it as a new variant of an old problem, essentially email phishing with a different delivery mechanism. That framing misses the more significant shift. Voice-based social engineering through collaboration platforms introduces a real-time, interactive element that static phishing lacks. An attacker on a live call can adapt their story, respond to skepticism, and apply pressure in ways that a pre-written email never could.
This distinction matters because it changes the defensive calculus. Email security tools can scan attachments, flag suspicious links, and quarantine messages before they reach a user. Teams calls offer no equivalent automated checkpoint. Tools to analyze live voice conversations for social engineering indicators in real time are not commonly deployed in most workplaces. The defense can fall heavily on the individual employee’s ability to recognize the attack while it is happening.
The emerging risk of AI-driven voice synthesis compounds this problem. If an attacker can clone the voice of a known IT administrator or manager, the social engineering becomes far more convincing. Current detection tools are not built to handle that scenario, and most organizations have no protocol for verifying the identity of a caller on an internal platform. The assumption that an internal Teams call is inherently trustworthy is the exact vulnerability these campaigns exploit.
Coverage that focuses solely on the malware or encryption routines used by Black Basta misses this human dimension. The most sophisticated ransomware payload is irrelevant if the initial intrusion never succeeds. In these campaigns, the payload is almost an afterthought; the real innovation lies in how attackers manipulate trust on platforms designed to streamline communication.
Practical Steps That Actually Reduce Risk
Organizations that want to defend against this specific attack vector need to focus on three areas. First, restrict or disable remote-access tools like Quick Assist and AnyDesk on endpoints where they are not operationally necessary. If IT support staff need these tools, limit their availability to designated machines and require secondary approval before any remote session begins. Application allowlisting and endpoint management policies can enforce these restrictions.
Second, enforce multi-channel verification for any unsolicited support request. Employees should be trained that if someone calls on Teams claiming to be from IT and asks for screen sharing or remote access, the correct response is to hang up and contact IT through a known channel, such as a ticketing system or published help desk number. This simple habit converts a high-risk, real-time interaction into a controlled, verifiable process.
Third, update security awareness training to account for live collaboration attacks, not just email phishing. Role-play scenarios in which staff practice declining unexpected screen-share requests, questioning the caller’s identity, and escalating suspicious contacts can build muscle memory. Training should emphasize that politeness is not a security requirement; it is acceptable to say no, disconnect, and verify.
Technical teams should also review Teams configuration options. Where possible, restrict external tenants that can initiate chats and calls, and monitor for anomalous usage patterns, such as a single account suddenly placing numerous voice calls outside normal hours. While these measures will not stop every attack, they raise the bar and reduce the pool of easy targets.
Ultimately, defending against Black Basta’s use of Teams requires reframing how organizations think about trusted platforms. Collaboration tools are not secure just because they are internal. They are another perimeter, and like any perimeter, they can be probed, impersonated, and breached. The organizations that fare best will be those that treat every unexpected call as a potential intrusion point and build culture, controls, and training around that reality.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
