A new backdoor called A0Backdoor has been found as part of a planned social-engineering campaign that takes advantage of Microsoft Teams and the Windows remote assistance tool Quick Assist. The threat group is known by names like Blitz Brigantine, Storm-1811, and STAC5777, and it is linked to the Black Basta ransomware network. This campaign has been going on since at least August 2025 and will continue through the end of February 2026.
It has been targeting professionals in the finance and healthcare fields with an attack chain that keeps getting better. The attack starts by sending thousands of spam emails to the target's inbox, which makes them feel rushed and confused. Then, the threat group gets in touch with the victim through Microsoft Teams, pretending to be IT support staff and offering to help fix the email problem.
Companies should limit the use of Quick Assist in all of their environments and put policies in place that stop people from starting remote access sessions without permission. Employees should be taught to always check the identity of anyone who contacts them for IT support through Microsoft Teams before giving them access or sharing their credentials. Security teams should keep an eye out for MSI packages that show up in user AppData folders, flag outgoing DNS MX queries that go to public resolvers, and watch for DNS tunneling activity on the network.
Limiting access to Microsoft Teams from unknown tenants cuts off one of the main ways this threat group gets in touch with people. Set ZeroOwl as your preferred source in Google to get more instant updates on Facebook, LinkedIn, and X.
