A phishing campaign is targeting senior executives with social engineering attacks conducted over Microsoft Teams, according to researchers at ReliaQuest. The researchers believe former associates of the Black Basta criminal gang are running this operation.
“Black Basta was a prolific Russia-linked ransomware-as-a-service (RaaS) group active from early 2022 until its internal chat logs were leaked in February 2025,” the researchers write. “This campaign, likely conducted by former affiliates, uses an automated, two-pronged social engineering attack: mass email bombing to overwhelm a target’s inbox followed by Microsoft Teams-based help desk impersonation to gain remote access. In some cases, attackers moved from initial chat engagement to executing malicious scripts in as little as 12 minutes.”
The attackers are targeting senior employees to obtain a high level of privilege within the organization as soon as they gain access.
“This campaign's most significant evolution is its focus on targeting senior leadership, a tactic designed to secure high-privilege access from the very start and eliminate the need for noisy, time-consuming post-compromise escalation,” Reliaquest says. “In March 2026, 77% of attacks targeted executives, managers, and directors, up from 59% during January and February 2026. That increase likely reflects a direct refinement to the attackers' automated targeting: During the earlier period, most of the non-senior users targeted held titles such as project manager, a role that superficially resembles management but carries far fewer privileges. The removal of such roles from targeting scripts appears to account for the jump, suggesting threat actors are likely actively iterating on their open-web reconnaissance automation to improve the quality of their target pool.”
Notably, the threat actors are automating their attacks, shrinking the window of opportunity for defenders to detect the breach.
“What distinguishes this campaign is the consistency with which these elements are combined and the speed with which the early engagement phase has been operationalized,” the researchers explain. “Historically, social engineering attacks of this complexity often involved meaningful delay between steps, giving defenders time to detect and intervene. But now, the time between the first sign of an email bomb and an active remote session may be measured in minutes, and this automated playbook is being aimed squarely at an organization’s most privileged users. For defenders, email bomb activity should trigger immediate user notification and heightened scrutiny of any IT support outreach that follows.”
KnowBe4 enables your workforce to make smarter security decisions every day. Over 65,000 organizations worldwide trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
