Black Basta Ransomware Attack: 5 Ways Your Company Can Securely Collaborate on Microsoft Teams

By Suhaas Kodagali - Director, Product Management

October 28, 2024 4 Minute Read

In recent incidents, the Black Basta ransomware group has been using Microsoft Teams chat messages as a deceptive communication channel with targeted users. In a new wave of ransomware attacks, the Black Basta group, whose members have infiltrated corporate networks by using phishing, malware botnets, and social engineering, are now using Microsoft Teams to get access to a company’s corporate data.

The group is commonly known to use emails posing as IT help desk staff to offer assistance and then trick employees to give access by providing credentials or installing remote access tools. Now, they are posing as IT help desk personnel in Microsoft Teams using external user accounts with deceptive names such as a “Help Desk”. By adding users to chats with external accounts from fraudulent Entra ID tenants, attackers have posed as support, admin, or help-desk staff, using misleading display names to trick users into believing they are interacting with legitimate help-desk representatives.

This event is a stark reminder of how collaboration tools, while essential to modern workflows, can also expose sensitive data to cyber threats, especially when guest or external users are involved. Leveraging a Cloud Access Security Broker (CASB) solution with advanced Data Loss Prevention (DLP) capabilities can help mitigate these risks by identifying and removing sensitive content in unauthorized interactions, ultimately strengthening enterprise data security against targeted ransomware attacks. Here’s how CASB-driven DLP policies can help identify and remove sensitive content across Microsoft Teams, SharePoint, and OneDrive, creating a safer environment for enterprise collaboration.

Key Skyhigh CASB Capabilities for Microsoft Teams Data Security

With Skyhigh CASB, organizations gain granular control over the sensitive content shared in their Microsoft Teams environment as well as the way it is collaborated. Security administrators can define Data Loss Prevention (DLP) policies to identify and remove sensitive data shared with unauthorized users. They can also enforce policies around sharing with external users and revoke access to external users as required so they can mitigate risks associated with malicious actors or inadvertent data sharing.

Skyhigh CASB integrates seamlessly with Microsoft Teams, SharePoint, and OneDrive to monitor and enforce DLP and collaboration controls across all relevant channels including Teams Channels, OneDrive files, and SharePoint sites. Security admins can use Skyhigh to enforce collaboration controls at multiple levels:

• Domain based sharing control
  External collaboration, while it poses its risks, can be a valuable productivity tool to work with contractors and partners. Skyhigh customers use domain based sharing controls where they can restrict sharing only to specific domains, which are approved by the security team as authorized partners, vendors, or contractors. So, an employee attempts to invite an external user who is not part of this pre-approved list to a Teams conversation, then Skyhigh will revoke this sharing request.
• Block sensitive data sharing with an external user in a Teams Channel
  Security admins can use Skyhigh’s controls to block sharing of sensitive data with external users. When a user shares sensitive data in a Teams channel that has an external user, Skyhigh detects the presence of sensitive data and also flags that the channel has users from outside the company, and it revokes sharing of this data. The same control can be applied at a user level as well. When an external user is added to a Teams channel that contains sensitive data, then Skyhigh can revoke access for the external user. By allowing security admins to merge collaboration-based and content-based controls in a single policy, Skyhigh gives security teams granular control over collaboration and content sharing on Teams and other Office apps.
• Revoke unauthorized collaboration retroactively
  Skyhigh’s controls over content and collaboration are enforced in near-real time, ensuring high levels of data protection for customers. However, Skyhigh also provides customers the option of enforcing these controls retroactively using on-demand scans. This is useful when a new Skyhigh customer wants to ensure their Teams deployment aligns with the company’s security policies. They can execute their content and collaboration policies en masse over all the Teams channels and chats and apply the necessary remediations where policies have been violated. This helps customers to ensure their complete protection for sensitive data within Teams and other office apps.
• Advanced data protection policies on Teams
  When applying content-based controls on data shared via Teams, Skyhigh provides customers with the most comprehensive and granular controls in the industry. Besides the standard out-of-the-box classifications for common data types, Skyhigh gives customers access to advanced data protection controls, including structured and unstructured fingerprinting and OCR capabilities. So, if a customer attempts to exfiltrate customer data in the form of a screenshot, Skyhigh can detect the presence of customer data from an existing structured data fingerprint within an image and block the sharing of this file.
• Collaboration Controls across Office applications
  The content and collaboration controls have been discussed largely in the context of Microsoft Teams as it was the exfiltration method used by the Black Basta group. But Skyhigh’s collaboration and content controls can be applied across all Office apps, including Microsoft SharePoint, OneDrive, and Exchange. Security Teams rarely look to apply controls only on one application. They usually define the controls and extend these across all apps which contain sensitive corporate data. So, Skyhigh has designed the same collaboration controls to apply to unauthorized sharing of data whether it is in a Teams channel or a SharePoint site or a OneDrive file or an email sent via Microsoft Exchange.

Setting Up DLP Policies for Effective Microsoft Teams Protection

To configure the DLP policies that protect Microsoft Teams environments, administrators can follow these steps:

• Define the specific types of sensitive data (e.g., credit card numbers, social security numbers) that require monitoring.
• Define rules around collaboration and define authorized external collaborators.
• Apply content and collaboration policies across Teams, SharePoint, and OneDrive instances for comprehensive data coverage.
• Regularly review and update policies to align with evolving security requirements, new data types, and collaborators.
• Strengthen Your Security Posture Against Ransomware Threats.

The Black Basta ransomware attack on Microsoft Teams underlines the need for robust data governance and protection in enterprise collaboration tools. With Skyhigh CASB, organizations can confidently manage sensitive information, minimize the risk of exposure to unauthorized users, and stay ahead of evolving cyber threats.

Skyhigh CASB is your trusted partner in protecting data across your Microsoft Teams environment, helping you secure sensitive information from ransomware groups and other malicious actors.

Back to Blogs