Picture this, an executive opens their inbox to a thousand spam emails. Two minutes later, a message lands in Microsoft Teams from someone claiming to be IT and offering to fix it. And 12 minutes after that, a malicious script is executed on their machine. Well, today we're breaking down this attack chain and how organizations can defend against it. Welcome to Shadow Talk, a cybersecurity podcast powered by ReliQuest, the leader in agentic AI security operations. I'm Alexandra Moore, Threat Intelligence Manager. And I'm John Dilgent, Threat Intelligence Analyst. And today we're talking about a playbook that outlived the group that built it and is now running faster than most SOCs can respond. Hi, John. How are you doing today? I'm doing very good. How about yourself? Yes, good, good. And I'm excited to talk to you today because you actually co-authored the report that sparked this whole episode. So I'm really interested to hear what pulled you back to this story. You know, Black Basta has been gone for over a year, and I would assume that the conversation around their tactics would have also moved on by now. Yeah, and really that's what made it worth writing. You know, the group disbanded back in February of 2025, and most people would have expected that playbook to fade with it. Well, instead, the opposite has happened, and the volume has spiked again, the targeting has gotten sharper, and the speed of the attack chain has gotten faster. Yeah, talking about the targeting, that was what really got me when I looked at the report, was this targeting data, and I know that we will discuss it later in the episode, but it's really not spray and pray anymore. No, it's not. And in fact, in March, 77% of the incidents that we observed at ReliaQuest targeted senior level employees specifically. You know, these weren't random users getting caught in a wide net. The threat actors deliberately were going after the highest privilege identities in the organization. And I think it's that level of precision at scale, which is what's really raising the bigger question for me, right? We've got the threat actors picking off the highest privilege identities across that many organizations, you know, all the different ones that we looked at. And that's not really something that you can do manually or by hand. So it makes me think what's actually powering this volume. It's a good question. And, you know, the activity that we've been tracking this year, it shows clear signs of automation. You know, it has the kind of pacing and consistency that you cannot sustain through manual operator effort. So really, organizations are not just up against a phishing email here, but rather against a process that's been engineered to outrun your defenses. Yeah, it's fascinating. And I'm really looking forward to digging into all of this in more detail with you throughout the episode. But first, I think we should set the stage for listeners who haven't been following this from the very beginning. You know, walk us through who BlackBaster is, how this campaign started and where it stands today? Yeah, certainly. So back in late 2024, we first saw this campaign. And I'd imagine that many of our listeners know it well, as we've talked about it in great detail. But just for reference, if they're not familiar, the primary kill chain is as follows. Flood a target user's inbox with thousands of spam emails, essentially making it unusable, really something we call an email spam bomb. From there, the threat actor contacts the user via Microsoft Teams, either through a phone call or more primarily through a chat message, and they impersonate the help desk trying to fix that email spam issue. They use that premise to convince the user to join a remote session through tools like Quick Assist or Supremo Remote Desktop and provide the threat actor access to their host, which the threat actor then uses to execute their malicious scripts in the remote session and ultimately move towards data exfiltration and ransomware deployment. Interesting. And then in, I think it was February 2025, we saw the group disband, right? We saw their internal chat logs were leaked. It was actually a really interesting story at the time. Lots of really fascinating insights into the group's internal dynamics and how they worked. And most people at that point would have expected that to be the end of it. Yeah, and almost counter to that thinking, right after the group disbanded, we saw that there was a notable spike in the activity in April of 2025. But after that, the volume did slow, but still remained consistent. But what's really changed is 2026, and in fact, the campaign is surging again. You say surging, like how significant is the surge? What are we talking about? Yeah. So to put that into perspective, 56% of the team's fishing activity that we've observed since Black Basta's decline has occurred in the first few months of 2026 alone. 56%. And 32% of that is happening in March alone. So that's not really a gradual trend or a stay uptick, right? That is a massive jump. Yeah, it definitely is. And really, it comes down to three key things in this campaign that we haven't seen before. The first being a focus on senior leadership. The second being refining of the methods the attackers are using through automation and changing tactics. And then finally, they're getting faster and better at evading detection. All right. Sounds good. Thank you for the overview. So let's dig into each of those, starting with that deliberate senior level targeting that you spoke about at the start of the episode. So something that we've mentioned multiple times in recent weeks, I'm always talking about it, is a key finding of our annual threat report, is how adversaries are conducting faster attacks by arriving with privileged credentials from the start. And this recent Black Baster style campaign that we're talking about is a really good example of that. So our research found that, as you said, 77% of these Black Basta-esque attacks in March 2026 were actually targeting your executives, managers and directors. And that was actually up from 59% in January and February. And this really matters strategically, I think, because if you land on a senior leader's machine from day one you can just skip all the noisy parts of an attack right the lateral movement the privilege escalation things like that You can go straight to I don know stealing really sensitive data that those, you know, that those sort of senior leaders have access to. And as I said, this isn't just Black Basta or, you know, the latest Black Basta style imitators who are choosing this approach. It is part of a broader trend that we've seen. As I mentioned, this year's annual threat report showed that 47%, so almost half of all the attacks that we analyzed, started with the attacker already holding those highly privileged credentials. And this is, you know, directly feeding into things like the average breakout time dropping by 29% year on year, or the decline that we saw in privilege escalation, 15% decline there. And those are really important figures in terms of how they actually, you know, sort of translate into or manifest in real life attacks. Yeah, I completely agree. And they kind of showcase that, you know, this is a campaign that's following the same patterns that we've seen threat actors use in the ATR, but it's really just a more deliberate targeting than most. Yeah, exactly. And talking about targeting, I think it's also really interesting to look at the sectors that were affected in this campaign. So we saw the manufacturing industry and also professional scientific and technical services, that's quite a mouthful, each accounted for roughly 25-26% of these Black Baster style attacks in 2026. And I really don't think that that's random. Yeah, I don't think so either. You know, both of those sectors have large operationally pressured workforces that are more susceptible to social engineering or those quick links that come in that phishing attempt. And when a user is compromised, specifically a senior leader, the threat of ransomware halting production creates real pressure for those organizations to pay extortions quickly. At the end of the day, those sectors are high leverage targets. Right. And there's another important angle that I think we should layer on here, the whole sort of historical thread. When BlackBasta was active initially, manufacturing was their top targeted sector, you know, according to the posts on their data leak site. So there were more manufacturing victims listed there than any other industry. So if the former affiliates that were part of Black Basta are now behind this latest campaign, which we do think is quite likely, then they're not just sort of reusing the playbook. They're almost going back to the same hunting ground. Yeah, I think the continuity between the attacks is really striking here. But let's also get into what's driving the precision. So because the jump from 59 to 77 percent in senior targeting, it doesn't happen by accident. And something changed in how the threat actors were picking their targets. I think this was a really interesting finding that came out of our research. So to kind of restate, 59 percent of senior employees were targeted in the first two months of 2026 versus 77 percent in March. And what we found as we kind of broke that data down is that in those first two months, many of the non-senior employees still had a manager in their title, you know, roles like project manager, but ultimately didn't have the key access that the managers really have. And what this says to me is that the threat actors were likely using an automation, a script to find these employees in their reconnaissance phase. And as they went through these months, they fine tuned that automation to no longer include the project manager roles and instead have a higher percentage of the actual seniors who held that access. Well, that's that's really interesting and quite a specific insight, I guess. So I just want to really emphasize that for the listeners. The attackers were reviewing their results. They decided, you know, project manager wasn't delivering what they needed. So they refined and updated their script. Yeah, that's exactly right. And really at the scale that they're operating across multiple organizations, multiple industries, doing that by hand really isn't feasible. So this was an actively managed process. brilliant so we've covered the targeting of senior leadership and then the the automation to refine results you were just talking about lastly let's discuss speed because some of the numbers in this section are ones that really did stick with me we saw attacks in this campaign often moving across multiple different users simultaneously and chats directed at different users were created within minutes of each other. And actually, in one instance, the chats were initiated just 29 seconds apart. Yeah. And so for any of our listeners who might be doing something else on the side, I'm going to restate, that is 29 seconds. Yeah, 29 seconds across different users. And I'm thinking this is surely not a single person at a keyboard, right? This is some sort of a script hitting a list, you know. And then from that first contact to malware deployment on the machine took as little as 12 minutes in some cases. So again, putting that into context of, you know, the reality that most enterprises are experiencing today, in most organizations, 12 minutes isn't enough time to even escalate a suspicious alert through all the right channels that that organization has in place, let alone to investigate it and respond to it. And by the time someone has flagged it internally, it's already over, you know, and that's by design. It's not incidental that these attacks are happening this quickly. It's fast because the attackers need to get in, carry out their objectives before anyone can act. So here's the question that we have to answer after the break. When the attack is arriving at machine speed and is targeting your high privilege users by design, what should defenses look like? That's where we're going next. So join us after the break. Shadow Talk is brought to you by ReliaQuest, the global leader in AI cybersecurity. ReliaQuest helps enterprise cybersecurity teams contain threats in minutes with its agentic AI security operations platform, GrayMattle. ReliaQuest makes security possible for the most trusted enterprise brands in the world. Learn more at ReliaQuest.com. And we're back. So before the break, we walked through what makes this recent campaign so effective the targeting the automation and the speed so now let get into how you actually defend against it John where do you want to start So defending against this campaign really means closing the human, the procedural, and the technical gaps that attackers rely on. And this breaks into training users to recognize the tactic chain, hardening help desk verification, and locking down remote access tools. So let's break the first one down, the value of user training. I've said it a thousand times. I'll probably say it a thousand more. You know, user training, targeted user training is very, very effective. And we've seen this time and time again with our customer base where they have targeted user training and it stops this attack chain before it even starts. And really what we're asking for at the end of the day is to communicate the tactic to the employees. So the email spam bomb followed by Teams phishing, followed by that request for remote session. And I think at the end of the day that that email spam bomb should be a big red flag for your end users, especially your senior employees, your executives, your directors. They should be made aware of this through that specific training. Yeah. And just to interrupt for a second, like the senior employees specifically need to be in that training, right? The data is really clear. We saw 77% of the March incidents targeting this senior leadership. So if your security program is focused on the general population in your company and is carving out executives because they're really busy and you're worried about disrupting business operations, then you're sort of handing the attacker exactly the population that they're aiming at. Yeah, that's really a great point. So the second one there was hardening help desk gaps. And, you know, we've said it in our ATR and other episodes that organizations struggle to fill those fundamental gaps for help desk and attackers exploit them consistently. So one of the specific ones we're calling out here is to implement out of band verification methods for employees to confirm the communication is authentic. Okay. So what does that kind of verification look like exactly? You know, how does it work in reality? Yeah, so it's going to depend on the organization, but there are a few different methods. I'd say one can be ticket numbers through your internal ticketing software, right? Your help desk and or the employee can reference a ticket number that can easily be used to confirm direct phone calls that the personnel can make to the help desk through an internal help desk number, really just getting out of that conversation that's direct with the potentially threat actor or suspicious user and confirming through an outside secure channel. Then moving into securing remote access tools, you know, attackers are leveraging these because they're commonly used by organizations, so they look semi-legitimate. And the top two tools that we saw in this campaign were Supremo Remote Desktop, which has often gone unnoticed, and so a lot of organizations likely don't have defenses in place around it, but it became one of the primary tools in this campaign. And then an old favorite was quick assist, frequently used in high volume, mostly because it's native on Windows 11. And the attacker doesn't have to convince the user to download a software, which would fire a whole nother range of defenses, potentially, it's already there, they can just give them a hotkey and access it. And again, I'm interrupting with another practical question here. But how can organizations implement this advice, you know, this recommendation to secure your remote access tools? Yeah, so there's a few ways. Number one is going to be your application controls that can restrict the type of remote monitoring and management or RMM tools that users can download. You can also go a step further and block domains that are associated with those RMM tools. So that way the tools, if downloaded, could not reach out to the domain via web traffic. And I'd also say to another control is going to be standardized one trusted software for remote access. Ensure it's pre-installed on your host and provide employees with a verifiable instruction set for access. So for example, our organization, you know, we might use Screen Connect. Well, our employees know we use Screen Connect. They know how the help this is going to connect from them. It just removes more variables out of the attacker scenario. Yeah, that's great. I think that's really, really practical advice there. And so I guess the next layer on to that is detection paired with automated response. Because once you're in a situation where initial access can turn into malware deployment in what we said 12 minutes, manual investigation alone is just not going to keep pace. So you really need two things working together. First, you're going to need high fidelity detections targeting those key events, the email bombing, the teams phishing that you mentioned and ideally you'd want those correlated into a single alert both because ease of ease of use right not having to go through lots of different alerts but also because one alert can pull together the patterns and sort of correlate different behaviors and not just look at isolated incidents and then layering that automated response on top because fast detection on its own is great but without immediate action, you're not going to close that 12-minute window. Yeah, great point. And so my turn to kind of throw it back to you with a practical question, but what does that automated response really look like in practice? So I think we're talking about things like isolating the host or blocking the RMM tools file hash, block its network communication domain. Those are the types of actions that are going to stop the chain before it progresses. And they do need to happen automatically, right? Because waiting for a human to review and to approve each step is exactly the delay that attacks are designed to exploit. So you just cannot overstate the importance of automated response. And I know that we talk about it all the time, but I will continue to, you know, sort of stand on my soapbox and talk about this because it is really important across the board for all the techniques that we're facing on a daily basis. And, you know, automated responses is containing the threat before it spreads to other hosts. It's buying you time that you need to investigate and remediate the activity. So, you know, it really is absolutely crucial. Yeah, it certainly is. And, you know, the reason we probably talk about it so much is because every other week it seems like a threat actor is getting faster in some means So it absolutely necessary I going to layer in the final point here that very similar to the automated response but it some kind of automated workflow or a customizable workflow that you can have around your CEDAR leadership. As a reminder, when a privileged account is compromised every second of unrestricted access, it really has the potential to multiply the damage here. So You can have some kind of customizable workflow. Let's say an email spam bomb or a non-approved RMM tool is identified based off of those detections Alex was talking about. Then you can have a contact through something like Microsoft Teams or your communication channel directed towards that senior leader to warn them to be on watch for the threat actor. A lot of the education and the things we've seen with our customers is in that communication channel. If the user is on their guard, they will not contact the threat actor. They will not join the remote session. So even just something as small as a high importance ping to that user at the right time can really help stop this attack. That's really good advice there. I think it's taking my automated response recommendation and just taking it one step further and thinking about all the other types of workflows and processes that you can automate, as well as just those, you know, very sort of traditional IR containment actions that we think about. Yeah, I really like that. So we're almost getting to the end of the episode, John. So I'm going to bring this home with what you can actually do with everything that we just talked about. So starting on the leadership side, the way that I would reframe things or get security leaders to think about the situation that we've spoken about today is to stop thinking about help desk verification as some sort of training initiative and to think about it as a process control instead. And I am aware that that sounds a lot like just semantics, but bear with me. It's not. I think a training program means that you teach people something and you hope that they remember it. Right. And then a control is it means that there's a defined procedure. It's going to apply every time. If someone bypasses it, that's a documented exception. And those are two very different things. So the thing that would actually close this gap here is to have a rule that says any request for remote access to a machine, particularly a senior leaders machine has to be verified through a channel that is separate from the one that the request came in on. Now you mentioned this earlier but just to emphasize if someone messages you on Teams saying that they're from IT you don't verify them on Teams. You know you call the help desk number that you have or you ask them to reference an internal ticket. Something that exists independently of the conversation that I'm currently having with a person that I can't confirm is who they say they are. The second thing, and this one I know is maybe going to be a little bit tricky politically, but it's the tendency to carve out executives from these tighter controls because it might cause friction. And I get the instinct, right? Nobody wants to be the person who blocked the CEO's laptop from getting fixed. But we saw, you know, 77% of these incidents in March that targeted senior leaders. So if the people with the most exceptions built around them are the exact people who are being targeted then you're not really protecting them you've just sort of made them more accessible I know it sounds like a bit of a you know sort of contradiction there but but that's that's the situation that we're in so the the morning action for security leaders something that you can you know go away and do this week is to pull one example one recent help desk ticket where someone sort of remote accessed or remoted into a senior leader's machine and ask, how did we verify the IT person's identity? And did that verification happen inside the same channel that the request came in through? And if you can't answer that, or if the answer is yes, then that's where you start. That's your gap. Yeah, some great recommendations there for security leaders. Bringing it home for the practitioners, though, I'd say one of the most actionable things from this episode is going to be to build those automated workflows scoped specifically to your senior level employees. The things we really just mentioned, like an instant Teams message to warn the user after an email spam bomb. After that one, I'd say your second priority should be auditing your RMM tool exposure. Remember, this needs to be a continuous monitoring process, not just a one-time audit and we're done. It needs to happen regularly. And you want to inventory every remote access tool that's present in your environment. outside the ones that are just managed by your IT team. You want to see everything, what's actually installed across our endpoints. Things like Quick Assist, Supremo, TeamViewer, record any non-approved tools, and then implement those controls we had talked about earlier through your application controls or your domain blocking to ensure that they can execute. So your tomorrow morning action for practitioners, when you come in, identify the top tier of your senior accounts for executives, directors, et cetera, and start scoping what targeted phishing education they have and what customizable workflows can actually be set up around them. I'd say at the end of the day, even a manual playbook that's documented this week is a starting point if you can't fully implement that automation. So the goal here is to really get ahead of or close the gap between detection and response to make sure attackers aren't taking advantage of those high privileged accounts. So the technique that Black Basta built is operating in full force even after the group disbanded. In fact, it's refining its targeting method and adopting new tactics. That's all for this week. Thanks for listening to another episode of Shadow Talk. If you enjoyed this discussion and want to read our full report, it's in the link tree below if you'd like to know more. You can always get in touch with us. We're just an email away at shadowtalk at reliantquest.com. Finally, please don't forget to subscribe so you can get next week's episode delivered direct to your podcast platform of choice. And we'd really appreciate it if you can rate and review Shadow Talk wherever you listen. It will make a huge difference and help us reach new listeners. We'll be back next week with another episode of Shadow Talk. Thank you.
