BazaCall: Phony call centers lead to exfiltration and ransomware | Microsoft Security Blog

Our continued investigation into BazaCall campaigns, those that use fraudulent call centers that trick unsuspecting users into downloading the BazaLoader malware, shows that this threat is more dangerous than what’s been discussed publicly in other security blogs and covered by the media. Apart from having backdoor capabilities, the BazaLoader payload from these campaigns also gives a remote attacker hands-on-keyboard control on an affected user’s device, which allows for a fast network compromise. In our observation, attacks emanating from the BazaCall threat could move quickly within a network, conduct extensive data exfiltration and credential theft, and distribute ransomware within 48 hours of the initial compromise.

Microsoft 365 Defender orchestrates protection across domains to deliver coordinated defense. In the case of BazaCall, Microsoft Defender for Endpoint detects malware and attacker behavior resulting from the campaign, and these signals inform Microsoft Defender for Office 365 protections against related emails, even if these emails don’t have the typical malicious artifacts. Microsoft threat analysts who constantly monitor BazaCall campaigns enrich the intelligence on this threat and enhance our ability to protect customers. In this blog post, we discuss how a recent BazaCall campaign attempts to compromise systems and networks through the mentioned human elements and how Microsoft defends against it.