Microsoft Teams Phishing Attack: What Your Business Needs to Know Right Now

A new cyberattack is making headlines this week - and if your team uses Microsoft Teams, you need to know about it immediately.

Hackers linked to the notorious Black Basta ransomware group have been impersonating IT support staff through Microsoft Teams, tricking employees into granting remote access through Windows Quick Assist. Once inside, they install a stealthy backdoor called A0Backdoor that gives them long-term access to your systems.

According to cybersecurity researchers, this campaign has been active since August 2025 and is still ongoing as of March 2026. The threat group - tracked as Storm-1811, Blitz Brigantine, and STAC5777 - has primarily targeted finance and healthcare organizations, but any business using Microsoft Teams is potentially at risk.

Here's what you need to know, and more importantly, what you need to do about it.

How the Attack Works

This isn't your typical phishing email. The attackers have refined their approach to exploit trust in ways that feel disturbingly legitimate.

Step 1: Email Flooding

It starts with your employee's inbox getting slammed with thousands of spam emails. This creates confusion and panic - exactly what the attackers want.

Step 2: The "Helpful" IT Person

Within minutes of the email flood, someone reaches out via Microsoft Teams claiming to be from IT support. They offer to help fix the "email issue." The message looks professional. The person seems knowledgeable. Your employee, overwhelmed and wanting to get back to work, believes they're talking to a legitimate support technician.

Step 3: Remote Access Request

The fake IT person asks the employee to launch Quick Assist - a built-in Windows tool designed for legitimate remote support. When the employee grants access, the attacker now has full control of their computer.

Step 4: Backdoor Installation

Once inside, the attackers work fast. They install malicious software disguised as legitimate Microsoft applications, including fake versions of Microsoft Teams and a utility called CrossDeviceService. These installers are digitally signed with stolen code-signing certificates, making them look completely authentic to both users and security software.

The payload they drop - A0Backdoor - is designed to stay hidden. It communicates with attackers using DNS tunneling over public resolvers like Cloudflare's 1.1.1.1, avoiding direct connections to attacker-controlled servers that security tools might flag.

Step 5: Long-Term Access

The backdoor collects system details like usernames and computer names, then establishes persistent communication with the attackers. From this point forward, they have a foothold in your network - and they can return anytime.

Who's Behind This?

The campaign is attributed to a threat group with multiple aliases: Storm-1811, Blitz Brigantine, and STAC5777. Security researchers have linked this group to the Black Basta ransomware operation - a financially motivated cybercrime network known for devastating attacks on businesses.

Black Basta typically operates by stealing data, encrypting systems, and demanding ransom payments. Recent data shows that ransomware attacks continue to surge in 2026, with total cybercrime costs expected to surpass $10.5 trillion this year.

What makes this attack particularly concerning is the sophistication. The attackers are using:

• Stolen code-signing certificates (at least three different certificates dating back to July 2025)
• DLL sideloading techniques that let malware run under the cover of legitimate Microsoft processes
• Time-based encryption keys that change every 55 hours, making analysis extremely difficult
• DNS tunneling to hide malicious traffic in normal-looking network activity
• Re-registered expired domains instead of fresh ones, bypassing detection tools that flag newly registered domains

This isn't amateur hour. This is organized, well-funded cybercrime.

Real-World Impact

Security researchers have identified multiple victims, including:

• A Canada-based financial institution
• A global health organization
• Multiple other organizations in finance and healthcare sectors

For healthcare organizations, the stakes are especially high. Between 2022 and 2024, the average cost of a data breach in healthcare reached $9.77 million, making the sector a prime target for ransomware groups.

But here's what matters: you don't have to be a Fortune 500 company to be targeted. Small and medium businesses are often easier targets because they typically have fewer security resources and less employee training.

Why This Attack Works

Social engineering attacks like this succeed because they exploit human psychology, not just technical vulnerabilities.

Consider what's happening in the employee's mind:

1. Their inbox is flooded with thousands of emails - they're frustrated and stressed
1. Someone reaches out immediately offering to help - they're relieved
1. The person uses the right terminology and seems knowledgeable - they trust them
1. Quick Assist is a legitimate Windows tool they may have used before - it seems safe
1. They want to get back to work - they make a quick decision

Add in the fact that many employees work remotely and rarely see IT staff in person, and it becomes even harder to verify who's legitimate.

The attackers also understand organizational behavior. They know that in most companies, employees aren't trained to verify IT support contacts through alternative channels. They know Quick Assist sessions are often requested legitimately. They know people want to be helpful and cooperative.

What Your Business Should Do Right Now

This isn't a threat you can address next month. Here are the steps you should take immediately:

1. Restrict Quick Assist Usage

Quick Assist should not be freely available to all employees. You have several options:

• Uninstall it completely if you don't use it for legitimate support
• Block it via Group Policy or Intune so employees can't launch it without approval
• Use AppLocker to restrict Quick Assist to specific user groups
• Configure Windows Firewall to block the Quick Assist executable from accessing the internet

Microsoft documentation provides detailed steps for blocking Quick Assist through various methods. If you're not sure how to implement these controls, your managed IT provider (that's us, if you need a hand) can do it for you.

2. Lock Down Microsoft Teams External Access

By default, Microsoft Teams allows communication with users from external organizations. This is the attack vector.

Go to the Teams Admin Center and review your external access settings:

• Navigate to Users > External access
• Consider changing from "Allow all external domains" to "Allow only specific external domains"
• Turn on "Allow my security team to manage blocked domains"
• Enable domain blocking through the Microsoft Defender Tenant Allow/Block List

You can also use PowerShell to block Teams trial tenants (often abused in attacks):

Set-CsTenantFederationConfiguration -ExternalAccessWithTrialTenants Disabled

The key is to move from an open-by-default posture to a verified-contacts-only approach.

3. Train Your Team on This Specific Attack

Generic cybersecurity training isn't enough. Your employees need to know about this attack specifically because it's happening right now.

Hold a quick team meeting or send a company-wide message explaining:

• IT will never reach out via Teams without prior contact through official channels
• No legitimate IT person will ask for remote access after an unsolicited message
• If you get an unexpected Teams message claiming to be from IT, close it and call your actual IT department
• If your inbox floods with spam, report it to IT immediately but don't accept help from unexpected Teams contacts

Make it clear that questioning a support request isn't rude or uncooperative - it's expected and necessary.

4. Establish Clear IT Support Verification Procedures

Create a simple verification process that employees can follow:

1. If someone claims to be from IT via Teams, ask for their employee ID or extension
1. Close the Teams conversation
1. Call your IT department directly using the number you have on file (not a number provided in the Teams message)
1. Verify that the request was legitimate before proceeding

Document this procedure and make it easily accessible - pin it in your company chat, add it to your employee handbook, post it on your intranet.

5. Monitor for Suspicious Activity

Your IT team (or MSP) should be watching for:

• Unexpected MSI installer files in user AppData directories
• DNS MX queries to public resolvers (especially high-volume queries to 1.1.1.1, 8.8.8.8)
• Signs of DNS tunneling in network traffic
• Quick Assist sessions that weren't logged through your official support channels
• New code-signing certificates appearing on employee workstations

If you're using managed SOC services, your security team should already be monitoring for these indicators. If not, this might be the wake-up call to implement proper security monitoring.

6. Implement Multi-Factor Authentication Everywhere

If an attacker does get access to a user's workstation, MFA adds another layer of defense. They won't be able to access cloud applications, email, or other systems without that second factor.

This should be mandatory for:

• Microsoft 365 accounts
• Email access
• VPN connections
• Any line-of-business applications
• Administrative accounts (especially these)

We've written extensively about security awareness training and why it matters - but MFA is the technical control that backs up human judgment.

7. Review Your Backup and Disaster Recovery Plan

Here's the uncomfortable truth: even with perfect security, determined attackers sometimes succeed. That's why the Black Basta ransomware group is so successful - they're good at what they do.

Your last line of defense is the ability to recover without paying ransom:

• Do you have offline backups that attackers can't encrypt?
• Are your backups tested regularly to confirm they actually work?
• Can you restore operations within hours, not days?
• Do you have an incident response plan that everyone knows how to execute?

If the answer to any of these is "no" or "I'm not sure," that needs to be fixed before an attack happens, not after.

What If You Think You've Been Compromised?

If an employee already granted Quick Assist access to someone they can't verify:

1. Disconnect that computer from the network immediately (physically unplug the ethernet cable or disable WiFi)
1. Change all passwords for that user from a different, known-clean device
1. Run a full malware scan using your endpoint detection and response solution
1. Check for persistence mechanisms - the backdoor may have installed itself to start on boot
1. Review recent file modifications and installations on the compromised machine
1. Monitor for lateral movement - did the attacker access other systems from that workstation?
1. Consider bringing in incident response specialists if you find evidence of compromise

Don't try to hide a breach from your IT team or management. Quick response is what limits damage. We've seen businesses lose weeks of data because someone was embarrassed to report that they fell for a scam.

The Bigger Picture: Why These Attacks Keep Working

It's tempting to think "my employees wouldn't fall for that." But that's exactly what every victim organization thought before they were compromised.

These attacks succeed because:

• Social engineering exploits natural human behavior - the desire to be helpful, the tendency to trust authority figures, the pressure to solve problems quickly
• Attackers iterate and improve - they test their approaches, refine their messages, and adapt when defenses change
• Security is inconvenient - verification procedures add friction, and people naturally look for shortcuts
• Trust is essential for business operations - we can't verify every interaction or we'd never get anything done

The solution isn't to eliminate trust or create an atmosphere of paranoia. It's to build smart, layered defenses that protect people even when they make understandable mistakes.

That's what managed IT services and managed cybersecurity are designed to do. Not to replace human judgment, but to support it with technical controls, monitoring, and rapid response when something goes wrong.

This Won't Be the Last Attack Like This

The Microsoft Teams phishing campaign is making headlines today, but there will be a new attack vector tomorrow. That's the nature of cybersecurity in 2026.

What matters is building an organization that can adapt:

• Security awareness training that's ongoing, not a once-a-year checkbox exercise
• Technical controls that assume attacks will happen, not if they'll happen
• Incident response capabilities that can contain damage quickly
• A culture where reporting suspicious activity is encouraged and rewarded, not punished

We work with businesses across Orange County - from car dealerships to medical practices to law firms - and we see the same pattern: organizations that invest in security before an incident fare dramatically better than those who scramble to respond after they're compromised.

Frequently Asked Questions

How can I tell if a Microsoft Teams message is really from my IT department?

Close the Teams conversation and call your IT department directly using a phone number or contact method you already have on file (not one provided in the Teams message). Verify the request was legitimate before granting any remote access or following instructions.

Should we completely disable Microsoft Teams external access?

It depends on your business needs. If you regularly communicate with clients, partners, or vendors via Teams, completely disabling external access may not be practical. Instead, consider moving from "allow all external domains" to "allow only specific external domains" and maintaining an approved list of organizations you work with.

Is Quick Assist the only remote access tool being exploited?

No. Attackers have previously abused legitimate tools like TeamViewer, AnyDesk, and LogMeIn in similar campaigns. The best practice is to restrict all remote access tools to approved use cases and require verification before any remote session is established.

What should employees do if their inbox gets flooded with spam?

Report it to IT immediately, but do not accept help from anyone who reaches out via Teams, email, or phone without first verifying their identity through official channels. Don't click any links or download any attachments from the spam messages.

How do I know if A0Backdoor is already on my network?

Professional security monitoring - either through your in-house IT team or a managed SOC - can detect indicators like unexpected MSI installations, DNS tunneling activity, and suspicious DNS queries to public resolvers. If you don't currently have this level of monitoring, consider implementing it as part of your security strategy.

Need Help Securing Your Business?

If you're concerned about your current security posture or want to make sure your team is protected against attacks like this, we're happy to help.

Burgi Technologies provides comprehensive managed cybersecurity services for businesses throughout Orange County. We can review your Microsoft Teams configuration, implement technical controls, train your team on security awareness, and provide 24/7 monitoring to detect threats before they become breaches.

We're not here to scare you - we're here to help you build a business that can operate safely in 2026's threat landscape. Give us a call at (949) 381-1010 or contact us online to schedule a security assessment.

No high-pressure sales pitch. No long-term contracts you can't get out of. Just straight talk about what your business needs and how to get there.

About Burgi Technologies

Burgi Technologies is an Orange County-based managed service provider specializing in IT security, compliance, and support for small and medium businesses. We maintain 100% client retention because we focus on building long-term partnerships, not churning through customers. Whether you need FTC compliance for car dealerships, HIPAA compliance for medical practices, or just rock-solid IT support, we're here to help.