BazaCall Poses New Threat to Microsoft/Office 365 Users

Another security issue affecting users of the popular Microsoft 365 and Office 365 platforms has appeared in the form of an evolved phishing attack proving both effective and efficient at infecting malware into user networks and personal computers. It is called BazaCall. This criminal operation first appears as an unsolicited email, and it is often successful because the threat actors direct victims to an actual call center run by the criminals themselves.

Microsoft released a warning about the issue at the end of July, notifying users of investigations the company has been pursuing into BazaCall campaigns, also known as BazarCall in the cybercrime/cybersecurity world. The warning highlighted the severity of BazaLoader malware that can afflict the networks and computers of individuals and organizations alike.

According to Microsoft, “this threat is more dangerous than what’s been discussed publicly in other security blogs and covered by the media,” and the “attacks emanating from the BazaCall threat could move quickly within a network, conduct extensive data exfiltration and credential theft, and distribute ransomware within 48 hours of initial compromise.”

How it Works

The effective nature of this scam utilizes common phishing tactics with a twist, luring victims into installing malware directly on their systems or devices rather than sneaking malicious code in through some back door technique. The threat actors combine old-school scam techniques with modern social engineering elements for a relatively devastating effect.

The attack begins with an email falsely informing a victim of a looming charge to their credit card or account. These messages appear to come from legitimate businesses stating that a free trial period is about to conclude, and a charge will be made unless further action is taken. The email directs the individual to call a provided telephone number to get things cleared up.

This is the first twist in the phishing line as compared to standard techniques, as there are no links to click or attachments to download in this initial email. Upon calling the phone number, the victim is connected with an actual human handling the incoming calls to a bogus call center. The operator then instructs the caller to download an Excel file that will allow them to cancel this phony service. Callers are further instructed to bypass security filters within Microsoft 365 to allow the download to take place. This file to be downloaded contains the BazaLoader malware, and just like that, the malicious program is installed onto an unsuspecting victim’s device.

Why it Works

This incident serves as a good examination into the evolving tactics of cybercriminals as well as the ease with which an average individual can be misled. There are two primary components of this scam that display a creative attempt to establish trust with the intent to deceive. First, a slight twist on common phishing techniques opens the door to deception. The initial email has scam-like qualities that should raise alarm in an informed individual. Most people have seen a similar message appear in their inbox email with a bogus link or attachment. Avoiding these links and attachments is often touted as Cybersecurity 101. However, because these BazaCall emails lack a direct link or attachment that seems suspect and instead directs the email recipient towards a phone number, a seed of authenticity is planted.

The next critical element is the human connection when the victim calls the phone number and speaks with a phony representative at a malicious call center. By using actual humans rather than bots, another element of trust is established. In addition, as the victim made the call and did not receive it, they are less likely to find it suspicious and are more susceptible to the threat in question. The social engineering component is critical here because if the victim makes the phone call, they can subconsciously let their guard down even further as they talk to a ‘representative’ who is helping to solve a problem.

Effects of BazaLoader Malware

While the tactics involved in this scam are unscrupulous, they are proving to be effective at their intended goal of installing the BazaLoader malware onto a system or network. Once infected with this malware, a threat actor has multiple means of data theft or ransomware activation. A particularly troubling aspect of the code found in BazaLoader is that it allows the attacker to gain hands-on keyboard control of an infected computer. This manual style of malware infection can be more extensive and difficult to contain than automated attacks.

With hands-on control of a device, a cybercriminal has direct access to the infected system and can cause harm to the entire network that the device may be connected to. This means family members, coworkers, or an employer’s computers can all become compromised. Passwords, personal information, and other important data are easily stolen. Ransomware is another common issue resulting from BazaLoader malware infection, with threat actors typically dropping Ryuk or Conti versions of malicious code to shut down systems and attempting to force a payment.

How to Limit Risk of Infection

Knowledge of the BazaCall scam is a critical step in reducing the risks it poses. If you are an Office 365 user, be aware of emails that fit the blueprint described above. Share this alert with others you know who use the software and may not yet know about the issue. Utilizing data and identity theft restoration services is always recommended as a risk mitigation tactic as well.

Staying informed of the many evolving risks is necessary for effective cybersecurity, and an abundance of caution is paramount. If you have even the slightest suspicion that an email, phone call, or other means of contact is a scam, it very well could be. With threat actors always developing new tactics to prey on victims, it pays to be overly careful rather than eagerly trusting.

LibertyID provides expert, full service, fully managed identity theft restoration to individuals, couples, extended families* and businesses. LibertyID has a 100% success rate in resolving all forms of identity fraud on behalf of our subscribers.

*LibertyID defines an extended family as: you, your spouse/partner, your parents and parents-in-law, and your children under the age of 25.