Lesson 3.2

Workplace Chat and Social Media

8 minutes

Starting in May 2024, affiliates of the Black Basta ransomware group launched a multi-stage attack against hundreds of organizations. First, they flooded targets with hundreds of spam emails — newsletter signups, mailing list subscriptions, notification confirmations — creating an overwhelming inbox problem. Then, starting in October 2024, operators contacted victims on Microsoft Teams from legitimate external accounts, posing as IT support offering to “fix” the spam problem.

Victims, relieved to get help with the email flood they’d been experiencing, were convinced to install AnyDesk or Quick Assist — granting the attackers remote control of their machines. The result: ransomware deployment. Over 500 organizations were impacted worldwide, prompting a CISA advisory.

The attack didn’t start with a phishing email. It started with a Teams message.

Slack, Teams, and workplace chat

Workplace chat platforms feel safe because they’re “internal.” But that sense of safety is exactly what attackers exploit. These platforms have far fewer security protections than email.

Why workplace chat is vulnerable

No spam filters or phishing detection on direct messages — the same message that would be caught by email security sails through on Teams or Slack
Microsoft Teams allows external messages by default — anyone with a Microsoft account can message your employees unless your organization has explicitly disabled this
Compromised accounts are invisible — if someone’s Slack or Teams account is taken over, messages look completely real because they ARE coming from the real account
Bots and apps can be named anything — an attacker can create a bot called “IT Support” or “Security Alert” that looks official

Real-world attacks

The Black Basta campaign wasn’t isolated. Workplace chat attacks are accelerating:

Scattered Spider (UNC3944), April 2025: This threat group infiltrated Slack and Teams at major UK retailers — Marks & Spencer, Harrods, and Co-op — causing an estimated GBP 440 million in damages. They used social engineering through internal communication channels to move laterally through the organizations.
Storm-2372, since August 2024: A Russian-linked threat group used fake Teams meeting invitations for device code phishing, targeting government agencies, NGOs, and defense contractors across Europe, North America, Africa, and the Middle East. Microsoft published a detailed advisory in February 2025.
DarkGate malware, December 2024: A threat actor impersonated a client during a Teams call, persuaded the target to install AnyDesk for “technical support,” and deployed DarkGate malware through the remote access tool.

Common patterns to watch for

A compromised coworker’s account DMs you with a link to “rotate your credentials” or “review this shared document”
A fake bot or app posts an alert in a channel (a fake “AWS Security Alert” in #engineering, for example)
An external contact on Teams makes an urgent request — especially one involving remote access tools
Any message asking you to enter your password, install software, or move to a personal channel

What to do

Same principle as always: if something seems off, verify through a different channel. If a Teams message looks suspicious, call the person. Don’t reply to the suspicious message itself — if the account is compromised, you’re talking to the attacker.

In January 2025, North Korea’s Lazarus Group launched “Operation 99” — a sophisticated campaign targeting Web3 and cryptocurrency developers through LinkedIn. The operation began with fake recruiter profiles posting attractive freelance job offers. Candidates who responded were moved to video interviews on Google Meet, then given coding assignments hosted on GitHub.

When candidates ran the installation commands for their “coding test,” malware was installed instead. The stolen credentials included cryptocurrency wallet keys, private keys, and production system access. Security researchers have connected this operation to the $1.5 billion Bybit exchange heist — one of the largest cryptocurrency thefts in history.

Why LinkedIn works for attackers

LinkedIn’s design makes it uniquely effective for social engineering:

Getting messages from strangers is normal — it’s a networking platform; unsolicited messages are the point
People share targeting data freely — job titles, company names, projects, technologies, team structures
Recruiter outreach is expected — even welcomed. Nobody is suspicious of a recruiter’s message.
“Mutual connections” create false trust — attackers send connection requests to your coworkers first, building a network that looks legitimate before contacting you

LinkedIn brand impersonation was the #1 most impersonated brand globally in Q1 2022, accounting for 52% of all brand phishing attacks, according to Check Point. It dropped for a time but was back at #4 in Q4 2024. Attackers keep returning to LinkedIn because it keeps working.

Common LinkedIn attack patterns

Fake recruiter with a dream job linking to a credential-harvesting “application portal”
Engagement bait — “I saw your post about X, really insightful” — building rapport over days or weeks before sending a malicious link
Compromised real accounts messaging their connections with “check out this article” or “thought you’d find this interesting”
Fake coding tests or technical assessments that install malware when the candidate runs the code

How to protect yourself

If a recruiter contacts you about a job, ask for the posting on the company’s official careers page. If the job doesn’t exist there, it doesn’t exist.
Be skeptical of brand-new profiles with few connections, especially if their work history is vague
Verify that the person exists at the company they claim — check the company’s actual website, not just LinkedIn
Never download files or run code from LinkedIn DMs without verification
Remember: 34% of phishing attacks now come through non-email channels, according to KnowBe4. LinkedIn is one of the biggest.

The Rule: Inside the company network doesn't mean inside the company.