DIGITAL LIFE

New Email Warning—Hackers Target Microsoft Users With Fatigue Attack

Microsoft users are certainly under the security cosh right now, what with new and sneaky 2FA bypass threats, critical Outlook vulnerabilities, high-speed password hacking attacks and warnings for users of Windows 10 all hitting the headlines. You could almost call this security warning fatigue, but now hackers are relying upon another kind of Microsoft fatigue to ensure they can steal your account credentials. Here’s what you need to know about the latest Black Basta email-overload campaign.

How An Email Flood Creates Hacking Opportunity In Black Basta Attack...A new analysis(https://blog.nviso.eu/2025/01/16/detecting-teams-chat-phishing-attacks-black-basta/) from Stamatis Chatzimangou, a member of the Threat Detection Engineering team at NVISO’s Computer Security Incident Response Team and Security Operations Center, has revealed how threat actors from the Black Basta hacking group are employing spam fatigue tactics to hack Microsoft users.

Although it’s not unusual to see attackers exploit user fatigue, most often in connection with two-factor authentication notifications, as well as group communication tools, the Black Basta attack is employing both at the same time to seemingly good effect.

The new threat campaign, Chatzimangou said, “involves email bombing followed by a Teams chat with the victim, posing as Help Desk or IT support.” It’s as ingenious as it is nasty and effective. The attack cleverly employs the tactic of bombing the user’s email inbox with spam emails; in this campaign, it would appear that newsletter subscription notifications are being employed. This is followed by the hackers impersonating IT support and using Microsoft Teams to initiate a chat that claims it will help with the problem at hand.

The Black Basta Email-Flood Attack Chain

The NVISO analysis explored the attack chain used by the Black Basta hackers, and an overview looks as follows:

The Black Basta hackers create a new Microsoft 365 tenant which poses as a legitimate-looking support organization.

Black Basta then floods the target’s inbox with spam, always benign in nature so as not to garner too much suspicion. Newsletter subscriptions are quoted as being used in this latest attack campaign.

A one-on-one chat session, using Microsoft Teams from that newly established tenant, is initiated in order to offer the recipient of this spam assistance in resolving the issue.

Here comes the hacking bit: the victim is then persuaded to provide access to their account using a legitimate remote management tool which provides them with access to the device in question.

The Black Basta attackers can finally use this remote access to disable security controls, deploy malware and exfiltrate sensitive information.

Mitigating The Email Fatigue Hack...“To protect against this specific attack,” Chatzimangou said, “you can disable Teams communication from external users to prevent phishing chat messages.” Of course, that might not be possible, depending on your working environment. If this is the case, Chatzimangou recommended only allowing specific domains to communicate with your organization. “Additionally, setting up anti-spam policies will prevent the user’s mailbox from being flooded with spam emails,” Chatzimangou said.

I have approached Microsoft for a statement regarding the email fatigue attacks.

Davey Winder