Skip to main content
Reading Time: 3 minutes

Microsoft cybersecurity researchers are now on the hunt for a cybercriminal group using call centers to infect PCs. The group is called BazarCall, and it is using malware called Bazar Loader to deploy ransomware, targeting Microsoft 365 users.

Last month, Palo Alto’s Brad Duncan detailed the chain of events for cyberattacks using the BazarCall Method: “After a client is infected, criminals use this backdoor access to send follow-up malware, scan the environment and exploit other vulnerable hosts on the network.”

The malicious spreadsheet download infects vulnerable Windows machines with BazarLoader malware.

This blog covers what you need to know to identify these phishing attacks before they can wreak havoc, and how to educate your workforce.

Here’s What the BazarCall Method Looks Like

Bazarcall Campaign

The phishing target receives a trial-subscription-themed email, letting them know that their trial ends in 24 hours and the target will be charged with the payment info the user previously provided. If and when the victim calls the number, they are directed to download an Excel file containing a malicious macro.
Alarmingly, the Microsoft Security team also reported that BazarCall is using the Cobalt Strike penetration testing kit to steal credentials, including the Active Directory (AD) database. Cobalt Strike is used for lateral movement on a network after the initial hacking.
AD theft is a huge business liability since the active directory contains an organization’s identity and credentials.

BazarCall is Targeting M365 users.

Microsoft Security has made researching these attacks a priority in large part because BazarCall is targeting M365 users, making it a substantial threat to the business enterprise.

Microsoft published a GitHub page sharing details about the the BazarCall campaign as it’s tracked. The page is frequently updated with details on phishing emails, use of Cobalt Strike for lateral movement, malicious Excel macros, Excel delivery techniques, and use of Windows NT Directory Services, or NTDS, to compromise AD files.

This video shares how this process sounds.

How to Protect Your Workforce

Millions of phishing attacks are underway every week with 40% of company data lost through employees who are unaware or less cautious on certain devices. Educating your workforce can make it more challenging for bad actors to find an entry point.

Here are the basics:

  1. Run an effective company-wide security and compliance training, here’s how.
  2.  Run a simulated phishing campaign to test your workforce.
  3. Keep the dialogue going, sharing active updates on threats like this one.

Some other helpful hints?

While many users are ditching Active Directory (this infographic shows you how) and filling the gaps with more intelligent Microsoft-driven alternatives, assessing your security assessment upfront is mission-critical to every organization. A security assessment helps your organization quickly pinpoint risk factors and act to prevent them from ever becoming issues.

The NIST Cybersecurity Framework has become the industry standard for gauging how integrated cybersecurity risk decisions are factored into big-picture business operations, using four tiers to measure cybersecurity risk: partial, risk-informed, repeatable, and adaptable.

Act now

Let’s talk

MicroAge security experts help you assess your security positioning in under an hour. Read the brochure or connect with our team to learn more.

Run your business smarter with end-to-end expert IT services

©2024 MicroAge. All Rights Reserved. Privacy Policy | Terms and Conditions | Submit Services Request