HIGHRansomware
Verified
Global

Black Basta Ransomware Pivots to Microsoft Teams Social Engineering

Wednesday, March 18, 2026 at 11:00 AM UTC·Source: Microsoft Threat Intelligence

Updated: Thursday, March 19, 2026 at 08:00 AM UTC

Executive Summary

Black Basta affiliates using Microsoft Teams messages and Quick Assist for initial access, bypassing email security controls entirely.

Analysis

Black Basta affiliates are impersonating IT help desk staff via Microsoft Teams, contacting employees about fake security issues and requesting Quick Assist remote sessions. Once connected, they deploy Cobalt Strike and ransomware payloads. Technique bypasses email-based security controls completely. Over 50 organizations targeted in March.

Timeline

Discovered
Mar 10, 2026
Exploitation Detected
Mar 10, 2026
Published
Mar 18, 2026
Source Attribution

Originally published by Microsoft Threat Intelligence on Mar 18, 2026. Verified by: Microsoft, CISA.

Related Threats

CRITICALRansomware

Cisco fixes critical IMC auth bypass present in many products

Cisco has released patches for a critical vulnerability in its out-of-band management solution, present in many of its servers and appliances. The flaw allows unauthenticated remote attackers to gain admin access to the Cisco Integrated Management Controller (IMC), which gives administrators remote control over servers even when the main OS is shut down. The vulnerability, tracked as CVE-2026-2009

CVE-2026-20093
CSO Online
HIGHRansomware

Akira ransomware group can achieve initial access to data encryption in less than an hour

A new report from Halcyon finds that the group also puts more effort than usual into developing working decryptors, likely to incentivize businesses to pay up. The post Akira ransomware group can achieve initial access to data encryption in less than an hour appeared first on CyberScoop .

CyberScoop
CRITICALRansomware

vSphere and BRICKSTORM Malware: A Defender's Guide

<div class="block-paragraph_advanced"><p>Written by: Stuart Carrera</p> <hr/></div> <div class="block-paragraph_advanced"><h3><span style="vertical-align: baseline;">Introduction</span><strong style="vertical-align: baseline;"> </strong></h3> <p><span style="vertical-align: baseline;">Building on </span><a href="https://cloud.google.com/blog/topics/threat-intelligence/brickstorm-espionage-campaign

CVE-2026-22769
Mandiant