Detecting Teams Chat Phishing Attacks (Black Basta)

This report documents an ongoing Black Basta campaign where attackers first 'email-bomb' targets with benign spam and then impersonate Help Desk/IT via Microsoft Teams OneOnOne chats to persuade victims to grant remote access (native Quick Assist or third-party RMM), enabling lateral movement and ransomware deployment. It includes an illustrative attack flow, a KQL detection query to link email-bombing events to subsequent Teams ChatCreated events within a 3-hour window, detection opportunities, prevention recommendations (restrict external Teams chats, allow-list trusted domains, anti-spam policies), and references.