Attack Description

For quite a while now, there has been a new ongoing threat campaign where the adversaries first bomb a user’s mailbox with spam emails and then pose as Help Desk or IT Support on Microsoft Teams to trick their potential victims into providing access. This social engineering tactic is being attributed to the ransomware group “Black Basta”. [1] [2]

The image illustrates a sequence of steps in a cyberattack process. It begins with setting up a new Microsoft 365 (M365) tenant, followed by flooding the target's inbox with emails. Next, it involves creating a Teams chat that impersonates the Help Desk. This is followed by initiating a remote access session, and finally, dropping a payload or executing actions on the host system.

The attack flow is as follows:

  1. The adversary sets up a new M365 tenant to appear as a legitimate organization.
  2. The adversary floods the user’s inbox with spam emails benign in nature like newsletter subscriptions.
  3. The adversary initiates a chat with the user via Teams (typically OneOnOne) posing as Help Desk or IT support personnel and offering assistance regarding the spam email problem.
  4. The adversary convinces the victim to provide access via RMM tools either native (Quick Assist) or third party like AnyConnect.
  5. The adversary uses the remote access to further expand his foothold, disable security controls, gather sensitive files or deploy malware.

Detection Opportunities

The attack chain above offers many hunting and detection opportunities. To name a few:

  1. Detecting spikes of incoming emails per user whether classified as spam phishing or malware.
  2. Looking for suspicious keywords like “Help Desk” or “Support” of the member’s Display Name.
  3. Hunting for RMM tools usage in your environment (refer to [3] by Stef Collart).
  4. Specific IOCs (emails, dropped file names and hashes, domains or IPs contacted etc..) from previously identified campaigns although that search is never ending.

For our hunt we are going to focus on the first half of the attack chain and create a query that will detect a combination of email bombing to a user’s mailbox followed by a Teams chat creation with that same user as a participant within a 3 hour window from the beginning or end of the email bombing attack.

KQL Query

// Set the threshold for identifying a high number of bad emails and the time window for chat creation
let bad_email_threshold = 100;
let chat_creation_time_diff_minutes = 180;
// Filter inbound emails that have threat types or specific email actions applied
EmailEvents 
| where EmailDirection == "Inbound"
| where ThreatTypes != "" or EmailActionPolicy != ""
// Summarize the count of bad emails and the time range they were received, grouped by hour and recipient email address
| summarize
    BadEmailCount = count(),
    minTimeGenerated = min(TimeGenerated),
    maxTimeGenerated = max(TimeGenerated),
    Subjects = make_set(Subject, 100),
    SenderFromAddresses = make_set(SenderFromAddress, 100)
    by bin(TimeGenerated, 1h), RecipientEmailAddress
// Filter for recipients with a count of bad emails exceeding the threshold
| where BadEmailCount > bad_email_threshold
// Normalize the recipient email address to lowercase for consistent matching
| extend RecipientEmailAddress = tolower(RecipientEmailAddress)
// Further summarize the data by 3-hour bins to identify potential email bombing incidents
| summarize
    BadEmailCount = sum(BadEmailCount),
    EmailBombingTimeGeneratedStart = min(minTimeGenerated),
    EmailBombingTimeGeneratedEnd = max(maxTimeGenerated),
    Subjects = make_set(Subjects, 100),
    SenderFromAddresses = make_set(SenderFromAddresses, 100)
    by bin(TimeGenerated, 3h), RecipientEmailAddress
// Join with OfficeActivity data to find chat creation events related to the potentially bombed email addresses
| join kind=inner (
    OfficeActivity
    | where RecordType == "MicrosoftTeams"
    | where Operation == "ChatCreated"
    | where CommunicationType == "OneOnOne"
    // Normalize the user ID to lowercase for consistent matching
    | extend UserId = tolower(UserId)
    )
    on $left.RecipientEmailAddress == $right.UserId
// Extract details about the chat participants and the time the chat was created
| extend Member0DisplayName = Members[0].DisplayName
| extend Member0UPN = Members[0].UPN
| extend Member1DisplayName = Members[1].DisplayName
| extend Member1UPN = Members[1].UPN
| extend ChatCreationTimeGenerated = TimeGenerated1
// Calculate the time difference between the chat creation and the start/end of the email bombing period
| extend ChatCreationTimeDifferenceStart = datetime_diff('minute', ChatCreationTimeGenerated, EmailBombingTimeGeneratedStart)
| extend ChatCreationTimeDifferenceEnd = datetime_diff('minute', ChatCreationTimeGenerated, EmailBombingTimeGeneratedEnd)
// Filter chats that were created within the specified time window of the email bombing period
| where (ChatCreationTimeDifferenceStart >= 0 and ChatCreationTimeDifferenceStart <= chat_creation_time_diff_minutes) or (ChatCreationTimeDifferenceEnd >= 0 and ChatCreationTimeDifferenceEnd <= chat_creation_time_diff_minutes)
// Select the relevant fields to display in the final result
| project
    Operation,
    CommunicationType,
    ChatCreationTimeGenerated,
    EmailBombingTimeGeneratedStart,
    EmailBombingTimeGeneratedEnd,
    ChatCreationTimeDifferenceStart,
    ChatCreationTimeDifferenceEnd,
    Member0DisplayName,
    Member0UPN,
    Member1DisplayName,
    Member1UPN,
    RecipientEmailAddress,
    BadEmailCount,
    Subjects,
    SenderFromAddresses,
    UserId,
    ClientIP,
    Members,
    ExtraProperties

Kusto

The query will return any chat creations that occurred within a 3 hour window from an email bombing attack. In the results you will also be able to see the time difference of the chat creation from the start/end of the attack (ChatCreationTimeDifference<Start|End>), the members of the chat (Member<0|1>DisplayName), how many emails were sent to the user (BadEmailCount) as well as a sample of Subjects and Senders of the bad classified emails.

KQL query results

Prevention

To protect against this specific attack you can disable Teams communication from external users to prevent phishing chat messages [4]. If that is not possible in your environment you can allow list specific domains that can communicate with your organization [5]. Additionally, setting up anti-spam policies will prevent the user’s mailbox from being flooded with spam emails. Finally, ensure that Teams logging is enable, specifically the “ChatCreated” event, as it will be used for detection and investigation purposes [6] [7].

References

[1] https://www.bleepingcomputer.com/news/security/black-basta-ransomware-poses-as-it-support-on-microsoft-teams-to-breach-networks/

[2] https://www.itpro.com/security/cyber-crime/hackers-have-been-posing-as-it-support-on-microsoft-teams

[3] https://blog.nviso.eu/2024/10/21/hunting-for-remote-management-tools-detecting-rmms/

[4] https://learn.microsoft.com/en-us/microsoftteams/trusted-organizations-external-meetings-chat?tabs=organization-settings#manage-chats-and-meetings-with-external-teams-users-not-managed-by-an-organization

[5] https://learn.microsoft.com/en-us/microsoftteams/trusted-organizations-external-meetings-chat?tabs=organization-settings#specify-trusted-microsoft-365-organizations

[6] https://learn.microsoft.com/en-us/purview/audit-log-enable-disable?tabs=microsoft-purview-portal

[7] https://learn.microsoft.com/en-us/purview/audit-teams-audit-log-events#turn-on-auditing-in-teams

About the Author

schat-avatar

Stamatis Chatzimangou

Stamatis is a member of the Threat Detection Engineering team at NVISO’s CSIRT & SOC and is mainly involved in Use Case research and development.

Published