It starts with a simple message: “Hi, this is IT support; please install this software to fix an issue.” But that innocent-looking chat could be a cyber trap. Recently, hackers have begun using Microsoft Teams, masquerading as help desk agents, to fool employees into downloading harmful software. It is a crafty and surprisingly effective scheme, exploiting our everyday reliance on IT assistance to slip ransomware right through the virtual front door.
Security experts at Reliaquest have tracked this clever trick to Black Basta, a well-known ransomware group that is famous for changing its methods. This time, rather than bombarding inboxes with junk emails, the hackers use Teams chats to build trust with their targets. Once they are in, they ask users to download remote access tools like AnyDesk or QuickAssist, with the goal of taking over systems and launching ransomware attacks.
The attackers begin by flooding inboxes with a barrage of fake “IT support” emails, sometimes sending hundreds within minutes to catch users off guard. Once they have set the stage, they move to a more personal approach, initiating Microsoft Teams chats while posing as help desk agents, often from Entra ID tenants crafted to look like official support profiles. The ultimate aim is to persuade users to download remote access tools such as AnyDesk or, more recently, Microsoft QuickAssist. With just one click, these hackers gain a foothold into the system, opening the door to more severe exploits and, ultimately, ransomware deployment.
Imagine a scenario where you receive a message from an “IT Support” user on Teams asking you to install QuickAssist to fix a supposed issue on your device. You might think it is from a real support agent, but in reality, it is a hacker trying to access your system. To make these attempts seem legitimate, attackers may even use custom URLs mimicking company names, like “companyname.qr-s1[.]com,” making the request feel more credible.
Reliaquest has found these attackers often originate from Russia, timing their activities to Moscow’s time zone, and have even been advertising their spam services on the dark web for prices ranging from $10 to $500.
To protect against these tactics, experts advise disabling external user communication on Teams unless absolutely necessary. Companies requiring external access can whitelist trusted domains, ensuring employees only interact with verified contacts.
This attack is a reminder that staying alert and well-informed is key to staying safe online. When organizations take time to educate employees on new threats, like these fake IT messages, they give them the tools to recognize and avoid scams before it is too late. Awareness training helps employees spot suspicious requests, question unexpected downloads, and ultimately stay a step ahead of hackers.
