Beware of this email fatigue hacking attack.
Microsoft users are definitely on the safe side right now, with new and sneaky 2FA bypass threats, critical Outlook vulnerabilities, high-speed password hacking attacks and warnings for Windows 10 users all making headlines. You could almost call this security warning fatigue, but now hackers are relying on another type of Microsoft fatigue to ensure they can steal your account credentials. Here’s what you need to know about Black Basta’s latest email overload campaign.
How an email flood creates hacking opportunities in the Black Basta attack
A new analysis by Stamatis Chatzimangou, a member of the Threat Detection Engineering team at NVISO’s Computer Security Incident Response Team and Security Operations Center, has revealed how threat actors from the Black Basta hacker group are use spam fatigue tactics to hack Microsoft users.
While it’s not uncommon to see attackers exploit user fatigue, most often in relation to two-factor authentication notifications as well as group communication tools, the Black Basta attack is using both at the same time to effect apparently good.
The new threat campaign, Chatzimangou said, “involves email bombardment followed by a team chat with the victim, posing as Help Desk or IT support.” It is as genius as it is wicked and effective. The attack cleverly uses the tactic of bombarding the user’s email inbox with spam; in this campaign, newsletter subscription notices appear to be being used. This is followed by hackers impersonating IT support and using Microsoft Teams to start a chat that claims to help with the problem at hand.
Black Basta’s email-flood attack chain
The NVISO analysis explored the attack chain used by the Black Basta hackers and a summary looks like this:
- Black Basta hackers create a new Microsoft 365 tenant that poses as a legitimate-looking support organization.
- Black Basta then floods the target’s inbox with spam, always of a benign nature, so as not to arouse too much suspicion. Newsletter subscriptions are said to have been used in this latest attack campaign.
- A one-on-one chat session is started using Microsoft Teams from that newly created tenant to provide the recipient of this spam message with troubleshooting assistance.
- Here comes the hacking part: the victim is then convinced to provide access to their account using a legitimate remote management tool which gives them access to the device in question.
- Black Basta attackers can finally use this remote access to disable security controls, deploy malware, and exploit sensitive information.
Mitigating email fatigue hacking
“To protect against this specific attack,” Chatzimangou said, “you can disable team communication from external users to prevent phishing chat messages.” Of course, this may not be possible, depending on your work environment. If so, Chatzimangou recommended allowing only specific domains to communicate with your organization. “In addition, setting up anti-spam policies will prevent the user’s mailbox from being flooded with spam,” Chatzimangou said.
I have reached out to Microsoft for a statement regarding email fatigue attacks.
