Detect Black Basta Ransomware Campaign RMM Tools Deployment
Query
// Detect Black Basta Ransomware Campaign
// Social Engineering Attack via Teams
// https://www.rapid7.com/blog/post/2024/12/04/black-basta-ransomware-campaign-drops-zbot-darkgate-and-custom-malware/
// Exclude Corporate Sharepoint
let CorporateSharepoint = "xxx.sharepoint.com";
CloudAppEvents
| where Application == @"Microsoft Teams"
| where ActionType == @"MessageSent"
| where AccountId contains "@"
| where parse_json(RawEventData)["CommunicationType"] == 'OneOnOne'
| where isnotempty(parse_json(RawEventData)["MessageURLs"])
| where (parse_json(RawEventData)["MessageURLs"]) contains ".sharepoint.com"
// External Teams Tenant sending a sharepoint link to download RMM tools to evade detections
| where (parse_json(RawEventData)["MessageURLs"]) !contains CorporateSharepointExplanation
This query is designed to detect potential social engineering attacks related to the Black Basta ransomware campaign, specifically targeting Microsoft Teams communications. Here's a simplified breakdown of what the query does:
-
Data Source: It analyzes events from Microsoft Teams, focusing on messages sent within the platform.
-
Filter Criteria:
- It looks for messages sent by users with an email address (indicated by the presence of "@" in the AccountId).
- It specifically targets one-on-one communications.
- It checks if the message contains URLs.
-
Suspicious Activity Detection:
- The query identifies messages that include URLs pointing to SharePoint sites.
- It excludes URLs that belong to the corporate SharePoint domain (e.g., "xxx.sharepoint.com") to avoid false positives from legitimate internal communications.
-
Purpose:
- The goal is to detect external Teams tenants sending SharePoint links that might be used to distribute remote monitoring and management (RMM) tools, which could be part of an attempt to evade security detections and facilitate a ransomware attack.
Overall, the query is designed to flag potentially malicious messages in Teams that could be part of a broader ransomware campaign, while excluding legitimate corporate communications.
Details

Steven Lim
Released: December 9, 2024
Tables
CloudAppEvents
Keywords
CloudAppEventsMicrosoftTeamsAccountIdRawEventDataCommunicationTypeMessageURLsSharepoint
Operators
let|where==containsparse_jsonisnotempty!contains