Storm-1811 | Threat Actor Profile

A Black Basta ransomware delivery group notable for a uniquely engineered social engineering chain: first flood the target's inbox with legitimate subscription emails (link listing attack), then call posing as IT support to "help" with the spam problem, then convince the user to open Quick Assist and grant remote access. Once inside, the group uses a scripted cURL command to download batch files and malicious payloads — Qakbot, Cobalt Strike, EvilProxy, SystemBC — before using PsExec to deploy Black Basta ransomware across the network. In late May 2024, Storm-1811 added Microsoft Teams as a second vishing channel — sending messages from attacker-controlled external tenants with "Help Desk" display names. Microsoft first documented the campaign in mid-April 2024; Sophos tracked the technique across 55+ attempted attacks through early 2025.

attributed origin Unknown — financially motivated

first observed Mid-April 2024 (Microsoft Threat Intelligence)

ransomware deployed Black Basta (closed RaaS)

primary technique Email bomb + vishing + Quick Assist

teams escalation Microsoft Teams external tenant vishing (May 2024+)

black basta victims 500+ organizations (as of May 2024)

ransom collected $100M+ (Black Basta total through Nov 2023)

credential theft tool EvilProxy (AiTM phishing kit)

threat level High

Overview

Storm-1811 is Microsoft Threat Intelligence's tracking designation for a financially motivated cybercriminal group deploying Black Basta ransomware via a distinctive social engineering chain that first emerged in mid-April 2024. The group is also tracked as STAC5777 by Sophos MDR and Cardinal by Symantec's Threat Hunter Team. Black Basta is a closed ransomware offering — not openly marketed as RaaS — distributed by a small number of affiliated actors, making Storm-1811 one of the primary delivery mechanisms for this ransomware family.

The defining signature of Storm-1811 is the email bomb + vishing + Quick Assist chain. Unlike conventional phishing, which waits for a user to click a malicious link, Storm-1811 actively creates the problem it claims to solve: by subscribing the target's email address to hundreds of mailing lists simultaneously, the group floods the inbox and creates a genuine, stressful problem for the victim. The subsequent phone call — impersonating IT support and offering to fix the spam issue — arrives as a timely and credible offer of help. Victims who might normally resist unsolicited IT calls are primed by the real inbox crisis to accept assistance. Once the victim opens Quick Assist and provides a security code, the attacker has full control of the device.

In late May 2024, Microsoft documented a significant channel expansion: Storm-1811 began using Microsoft Teams to send messages and initiate calls from external Microsoft 365 tenants, with display names set to strings containing "Help Desk" surrounded by whitespace characters to mimic internal IT accounts. The Teams channel reached victims who had not responded to phone calls and exploited the trust that employees place in internal-appearing Teams messages. Between November 2024 and January 2025, Sophos documented over 55 attempted attacks using this technique across its customer base.

active technique — copied by multiple other threat actors

Storm-1811's email bomb + vishing + Quick Assist playbook has been widely copied since Microsoft's May 2024 public disclosure. Sophos documented a second distinct threat cluster (STAC5143) using the same technique for a different objective, and ReliaQuest documented a March 2025 campaign using the Teams vishing pattern to deliver a novel backdoor using TypeLib COM hijacking — a persistence technique not previously seen in the wild. The attack chain has also been adopted by 3AM ransomware actors and actors linked to the FIN7 / STAC5143 cluster. Storm-1811 itself may be fragmenting following the February 2025 Black Basta internal chat leaks, with affiliates potentially moving to other RaaS providers.

Attack Chain — Email Bomb to Ransomware

The Storm-1811 attack chain is engineered to exploit a human response pattern — creating a problem, then offering the solution. Each phase is designed to make the next step feel natural and necessary to the victim.

Email Bomb — Link Listing Attack

Storm-1811 subscribes the target employee's email address to a large number of legitimate email subscription services simultaneously — also called a link listing attack. The target's inbox floods with real, legitimate subscription confirmation and welcome emails from newsletters, notification services, and marketing lists. This creates a real, observable crisis that the victim needs to address. Critically, these emails are not malicious and bypass email security filters easily — they originate from legitimate sending domains with valid SPF and DKIM records. The goal is not to deliver malware via email but to create the psychological precondition for the subsequent phone call. ReliaQuest documented that employees in sales and accounting departments were targeted most frequently, and that Teams phishing attempts were timed predominantly between 12 p.m. and 3 p.m. on weekdays.

Vishing — Fake IT Support Call or Teams Message

Storm-1811 contacts the victim by phone — impersonating Microsoft technical support or the victim organization's own IT helpdesk — and offers to help resolve the spam issue. In the initial April 2024 variant, this was done via direct telephone calls. In late May 2024, Microsoft documented Storm-1811 expanding to Microsoft Teams: attackers operated their own Microsoft 365 tenants (external to the target organization) and set display names to "Help Desk" with whitespace characters — exploiting a default Microsoft Teams configuration that permits external users to initiate chats or calls with internal users. Sophos documented that in 58% of incidents, the sender domain was onmicrosoft[.]com. The victim, already stressed by the inbox flood, receives what appears to be IT support — and the timing makes the offer credible.

Quick Assist Remote Access — Device Compromise

During the call, the attacker walks the victim through opening Quick Assist — a legitimate Microsoft remote support tool built into Windows 11. The victim enters a security code provided by the attacker, which allows the attacker to connect to and fully control the victim's device. The victim can share their screen or grant full remote control. "If the target approves this request, the fraudster now has full control of the device." Alternatively, attackers direct victims to install AnyDesk or other remote management tools. Some attacks bypass this step by directing victims to an EvilProxy phishing page to capture credentials instead of — or in addition to — Quick Assist access.

Payload Delivery — Qakbot, Cobalt Strike, SystemBC, EvilProxy

Once remote access is established via Quick Assist, Storm-1811 runs a scripted cURL command to download batch files or ZIP files containing malicious payloads from attacker-controlled infrastructure (documented domains include antispam3[.]com). In the phone-based vishing variant, Qakbot is used to deliver a Cobalt Strike Beacon; ScreenConnect establishes persistence for lateral movement; NetSupport Manager provides additional remote control capability. SystemBC (a proxy RAT) is deployed for C2 and persistence. EvilProxy is used to capture credentials and session tokens via adversary-in-the-middle phishing pages. In some cases, the actors use BITSAdmin to download batch files. OpenSSH tunneling provides an additional persistence mechanism. Batch scripts harvest credentials using PowerShell and exfiltrate them via SCP to the attacker's server. A fake "update" prompt is displayed to trick the user into entering their credentials.

Ransomware Deployment — PsExec + Black Basta

After payload installation and concluding the call, Storm-1811 performs domain enumeration and lateral movement using the established remote access tools. The group uses PsExec to distribute and execute Black Basta ransomware across the network — targeting all reachable endpoints and servers for encryption. In cases where ESXi hosts are accessible, socks.out (SystemBC proxy) is deployed to enable SSH root access, with security features disabled before ransomware execution. Black Basta uses double extortion: data is exfiltrated before encryption, then victims are threatened with public release if ransom is not paid. Black Basta affiliates collected over $100 million from more than 90 victims through November 2023, with confirmed reach across 12 of 16 US critical infrastructure sectors by May 2024.

Target Profile

Storm-1811 targeting is opportunistic across sectors — the social engineering chain works against any organization where employees receive external calls or Teams messages from apparent IT support and have access to Quick Assist or similar remote tools.

Cross-sector opportunistic targeting: Rapid7 documented the initial 2024 campaign targeting manufacturing, construction, food and beverage, and transportation sectors — a deliberately broad range consistent with opportunistic rather than sector-specific targeting. The email bomb + vishing approach works against any organization regardless of sector, making sector specificity less relevant than target employee accessibility.
Sales and accounting employees: ReliaQuest documented that employees in sales and accounting departments were the most frequently targeted individuals within victim organizations — likely because these employees regularly interact with external parties, making an IT support call slightly more plausible, and because they have access to financial data and credentials valuable for escalation. The March 2025 variant specifically targeted female executive-level employees or those with female-sounding names in financial and professional services sectors.
Healthcare sector: CISA's Black Basta joint advisory noted that the ransomware has recently accelerated attacks against the healthcare sector — consistent with Black Basta's broader targeting of organizations where operational disruption creates maximum payment pressure. Health-ISAC issued a specific threat bulletin on Black Basta healthcare targeting.
North America and Europe primary: Trend Micro documented that since October 2024, North America accounted for 21 breaches and Europe 18 in Black Basta incidents, with the US the hardest-hit single country at 17 organizations affected. The UK and Canada each saw five breaches in the same period.
Organizations with external Teams communications enabled: The Teams vishing variant specifically exploits organizations that have not restricted external Teams communications — a default Microsoft configuration that allows any external Microsoft 365 tenant to initiate chats or calls with internal users.

Tactics, Techniques & Procedures

Storm-1811's TTP set is defined by the initial social engineering chain — each subsequent step relies on access granted through the preceding step. The depth of tooling deployed post-access is substantial.

mitre id	technique	description
T1583.006	Email Bombing — Link Listing Attack	Storm-1811 signs target email addresses up to multiple email subscription services simultaneously, flooding inboxes with legitimate subscribed content. Microsoft's term for this is "link listing attack." The subscribed emails are real and legitimate, bypassing all email security controls. The attack's purpose is psychological — creating a real crisis that makes the subsequent vishing call credible and welcome. The timing of the vishing call immediately following the inbox flood is critical to the social engineering success.
T1566.004	Vishing — Phone and Microsoft Teams Impersonation	Initial variant: direct phone calls impersonating IT helpdesk or Microsoft technical support, offering to fix the inbox flood. May 2024 escalation: Microsoft Teams messages and calls from external Microsoft 365 tenants with "Help Desk" display names (surrounded by whitespace to mimic internal accounts). In 58% of documented incidents, sender domain was onmicrosoft[.]com. The Teams channel exploits a default Microsoft configuration that permits external user-initiated chat and calls without explicit restriction. ReliaQuest documented that attacks are timed predominantly between 12 p.m. and 3 p.m. on weekdays — consistent with operating hours that maximize response rates.
T1219	Remote Access via Quick Assist (Legitimate Tool)	Storm-1811 walks the victim through opening Windows Quick Assist — a built-in remote support tool in Windows 11. The victim enters a six-character security code provided by the attacker and grants screen sharing or full remote control. Once control is granted, the attacker operates freely — running scripts, downloading payloads, and installing persistent access tools — while the call continues or has concluded. Quick Assist is legitimate, meaning its network traffic does not trigger security alerts. Microsoft subsequently added warning messages to Quick Assist to notify users of potential tech support scams.
T1557	EvilProxy — Adversary-in-the-Middle Credential Theft	Storm-1811 provides victims with malicious links during Teams sessions that redirect to EvilProxy phishing pages replicating legitimate Microsoft login portals. EvilProxy is an AiTM (adversary-in-the-middle) phishing kit that captures not just credentials but also session cookies and MFA tokens — allowing the attacker to bypass MFA by replaying the captured session. Stolen credentials are used directly or to authenticate to corporate resources from attacker-controlled infrastructure.
T1059.001	cURL-Based Payload Download — Scripted Delivery	Once Quick Assist access is established, the attacker runs a scripted cURL command to download batch files or ZIP files from attacker-controlled infrastructure. Documented download domains include antispam3[.]com — a domain with a name designed to blend with the anti-spam pretext of the call. BITSAdmin is used in some variants as an alternative download mechanism. Batch scripts contain credential harvesting PowerShell commands and SCP exfiltration to the attacker's server.
T1021.002	PsExec — Network-Wide Ransomware Deployment	After domain enumeration and lateral movement via ScreenConnect and NetSupport Manager, Storm-1811 uses PsExec to distribute and execute Black Basta ransomware across all reachable network endpoints. PsExec is a legitimate Sysinternals tool that executes processes on remote systems — legitimate use in enterprise environments makes PsExec-based lateral movement harder to distinguish from normal administrative activity without behavioral baselining.
T1090	SystemBC — Proxy C2 and Persistence	SystemBC is deployed as a post-compromise proxy RAT providing encrypted C2 communications, network tunneling, and persistence in the compromised environment. Documented payload filenames include AntispamConnectUS.exe — a filename designed to match the anti-spam social engineering pretext. SystemBC was observed deployed on ESXi hosts (as socks.out) after attackers disabled the ExecInstalledOnly setting and firewall to allow unsigned binary execution.

Known Campaigns

Initial Quick Assist Campaign — Email Bomb + Vishing Mid-Apr 2024

Microsoft Threat Intelligence documented Storm-1811 beginning its Quick Assist social engineering campaign in mid-April 2024. Victims' inboxes were flooded via link listing attacks before phone calls impersonating IT support offered to fix the spam issue. Quick Assist access led to cURL-based download of batch files containing Qakbot, ScreenConnect, NetSupport Manager, and ultimately Cobalt Strike and Black Basta ransomware. Rapid7 documented the campaign targeting manufacturing, construction, food and beverage, and transportation sectors. Batch scripts harvested credentials via PowerShell and exfiltrated them via SCP. In some cases, OpenSSH tunneling provided persistent access. PsExec distributed Black Basta across networks following domain enumeration and lateral movement.

Microsoft Teams Channel Addition — External Tenant Vishing Late May 2024

In late May 2024, Microsoft documented Storm-1811 expanding from phone-based vishing to Microsoft Teams as a second contact channel. Attackers operated their own Microsoft 365 tenants — external to target organizations — and sent Teams messages with "Help Desk" display names surrounded by whitespace characters, exploiting the default Teams configuration that permits external user-initiated chats. The Teams variant added EvilProxy for credential capture and SystemBC (as AntispamConnectUS.exe) for C2. Microsoft subsequently suspended identified malicious accounts and tenants and worked on incorporating warning messages in Quick Assist to notify users of potential tech support scams. Sophos documented that 58% of sender domains in Teams phishing incidents were onmicrosoft[.]com.

Escalated Activity — October 2024 through February 2025 Oct 2024–Feb 2025

Sophos MDR tracked two distinct threat clusters (STAC5777, identified as Storm-1811, and the new STAC5143 cluster) using the email bomb + Teams vishing technique in over 15 confirmed incidents with 55+ attempted attacks documented between November 2024 and mid-January 2025. Arctic Wolf documented a surge in social engineering campaign activity beginning December 16, 2024. Trend Micro documented updated tactics including QR codes used to bypass MFA, DarkGate and custom payloads alongside standard SystemBC/Cobalt Strike, and VPN configuration file theft. ESXi host compromise was documented — attackers disabled ExecInstalledOnly and the firewall before executing socks.out (SystemBC) on ESXi hosts. The February 2025 Black Basta internal chat leak — exposing 13 months of communications including a full vishing phone script — revealed that the vishing technique had been in development since fall 2023, when Black Basta began purchasing Microsoft Teams accounts and testing TeamsPhisher (an open-source Teams phishing tool).

Novel Backdoor Variant — TypeLib COM Hijacking Mar 2025

ReliaQuest documented a March 2025 campaign following the Storm-1811 Teams vishing pattern to access devices via Quick Assist but pivoting to an entirely new post-access technique: Windows TypeLib COM hijacking — a persistence method not previously observed in real-world attacks. The attacker modified the TypeLib registry entry for an Internet Explorer COM object (still invoked by Explorer.exe at startup despite IE's deprecation) to redirect to a malicious script. Attribution to Storm-1811 specifically could not be confirmed with high confidence, but ReliaQuest assessed the campaign as either an evolution of Storm-1811's techniques or evidence of Black Basta affiliate splintering following the February 2025 chat leaks.

Tools & Malware

Storm-1811 uses a combination of legitimate Microsoft tools, commodity eCrime infrastructure, and RMM tools — the legitimacy of the primary access mechanism (Quick Assist) and the C2 channels (ScreenConnect, NetSupport Manager) is a deliberate operational choice to reduce security alert generation.

Quick Assist (abused legitimate tool): The primary initial access mechanism. A built-in Windows 11 remote support tool that allows users to share their device with a remote user via a six-character security code. No malware installation required — the attacker controls a legitimate remote session. Microsoft has subsequently added warning banners to Quick Assist to alert users of potential tech support scam abuse.
EvilProxy (AiTM phishing kit): An adversary-in-the-middle phishing kit that captures credentials and session cookies — including MFA tokens — by proxying authentication traffic between the victim and the legitimate login portal. Used to bypass MFA by replaying captured sessions. Enables attacker credential reuse without requiring plaintext passwords.
Qakbot: Deployed as a remote access vector after Quick Assist access is established. Used to deliver Cobalt Strike Beacon, providing the attacker a persistent, stealthy post-exploitation platform for lateral movement and pre-ransomware staging. Black Basta has historically relied on Qakbot as a primary access source since the ransomware's 2022 emergence.
Cobalt Strike: Post-Qakbot payload providing C2, lateral movement capability, and the full Cobalt Strike post-exploitation framework. Used for network enumeration, privilege escalation, and preparing the environment for ransomware deployment.
SystemBC (AntispamConnectUS.exe): A proxy RAT providing encrypted C2 communications and persistence. Documented filenames include AntispamConnectUS.exe, AntispamAccount.exe, and AntispamUpdate.exe — names designed to match the anti-spam social engineering pretext. Deployed on both Windows endpoints and ESXi hosts in documented campaigns.
ScreenConnect / NetSupport Manager / AnyDesk: Legitimate remote monitoring and management tools used for persistent access and lateral movement. Blend with legitimate IT administration activity in network monitoring — their widespread enterprise use makes them effective for maintaining access without triggering alerts.
PsExec: Microsoft Sysinternals tool used to execute Black Basta ransomware remotely on all reachable network endpoints simultaneously. Legitimate enterprise administration tool widely available and expected in corporate environments.
Black Basta ransomware: The final payload. A closed, double-extortion ransomware — exfiltrates data before encryption, then threatens public release on the Black Basta leak site. CISA and FBI documented over 500 victim organizations across 12 of 16 US critical infrastructure sectors between April 2022 and May 2024. Ransom payments exceeded $100 million through November 2023.

Indicators of Compromise

indicators of compromise — behavioral patterns

behavior Sudden inbox flood of legitimate subscription emails across multiple services within minutes — email bomb precursor

teams External Teams message or call from onmicrosoft[.]com tenant with "Help Desk" display name (whitespace-padded)

process Quick Assist (msquickassist.exe) launching cURL to download batch or ZIP files from external domains

domain antispam3[.]com — documented Storm-1811 payload delivery domain

filename AntispamConnectUS.exe / AntispamAccount.exe / AntispamUpdate.exe — SystemBC payload filenames

behavior PowerShell credential harvesting script during fake "update" prompt — credentials exfiltrated via SCP

behavior PsExec executing remotely across multiple hosts after domain enumeration — ransomware pre-deployment indicator

network BITSAdmin downloading from blob.core.windows[.]net with unusual filenames (kb641812-filter-pack-2024-1.dat)

Mitigation & Defense

Storm-1811's attack chain has multiple intervention points across the email, Teams, Quick Assist, and post-access phases — each provides an independent opportunity to disrupt the chain before ransomware deployment.

Restrict Microsoft Teams external communications: The single most impactful control for the Teams vishing variant. By default, Microsoft Teams allows any external Microsoft 365 tenant to initiate chats or calls with internal users. Configure Teams to restrict external communications to known, trusted organizations or disable external user-initiated contact entirely. Sophos explicitly recommends this as a primary mitigation: "Organizations should ensure that their Office 365 service provisions restrict Teams calls from outside organizations or restrict that capability to trusted business partners." If external Teams is required, educate employees to check the "External" tag on communications and to verify any IT support contact through a known-good internal channel before acting.
Block or uninstall Quick Assist if not actively used: Microsoft's own advisory recommends blocking or uninstalling Quick Assist and similar remote monitoring and management tools if they are not in active use by the IT team. If Quick Assist is not part of the organization's official IT support workflow, removing it eliminates the primary access mechanism Storm-1811 relies on. If Quick Assist is needed, establish a clear policy: legitimate IT support will never call you unsolicited and ask you to open Quick Assist — only contact-initiated support (where the employee calls the IT team first) should ever result in Quick Assist sessions.
Establish known-good IT support contact protocol: Employees must know that legitimate IT helpdesk never calls proactively to resolve email problems — they respond to tickets. Any unsolicited call claiming to be IT support, even if it arrives after an inbox flood that feels real, should be treated as suspicious. Train employees to hang up on the caller and independently verify by calling the IT helpdesk at the official, internal number. This simple protocol disrupts the entire Storm-1811 chain regardless of whether the contact arrives by phone or Teams.
Email gateway alerting for link listing patterns: Configure email gateway monitoring to alert when a single inbox receives an unusual volume of subscription confirmation emails across multiple senders within a short window. This is a detectable pattern — the subscribed emails arrive in rapid succession from different domains but share the characteristic of being subscription confirmations or welcome emails. An alert on this pattern provides early warning of a link listing attack in progress, allowing security teams to warn the affected employee before the vishing call arrives.
Block RMM tools not in the approved inventory: Storm-1811 installs ScreenConnect, NetSupport Manager, and AnyDesk as secondary persistent access tools. Maintain an approved inventory of remote management tools and block execution of unapproved RMM software via application control policies. Any installation of a remote management tool that was not initiated by the IT team should trigger an immediate alert.
Monitor for PsExec network deployment patterns: Alert on PsExec executing processes on a large number of remote hosts within a short window — this is the signature of ransomware network deployment. PsExec has legitimate administrative uses, but mass simultaneous remote execution across many endpoints is not normal IT operations and warrants immediate investigation. EDR platforms with behavioral detection on lateral movement can catch this pattern before ransomware execution completes.
MFA-resistant credential protection: EvilProxy captures session cookies and MFA tokens alongside credentials, making standard TOTP-based MFA insufficient as a defense against Storm-1811's credential theft. Implementing FIDO2/WebAuthn-based passkeys or hardware security keys eliminates credential phishing entirely — these authentication methods cannot be captured by AiTM proxies because they are cryptographically bound to the legitimate domain. Organizations in Storm-1811's target category should prioritize FIDO2 enrollment for accounts with access to sensitive systems and data.

analyst note

The February 2025 Black Basta chat leaks exposed the internal development timeline of the vishing technique: research began in fall 2023 when the group started purchasing Microsoft Teams accounts and testing TeamsPhisher, and a full vishing phone script was posted internally in May 2024. The leaks also confirmed that Black Basta operators were actively researching how to detect and bypass specific security vendors. The leak occurred due to an internal dispute — consistent with the historical pattern where financially successful cybercrime groups fracture over ransom payment disputes. ReliaQuest assessed that if Black Basta's internal conflicts remain unresolved, affiliates like Storm-1811 are likely to move to other RaaS providers, carrying the email bomb + Teams vishing playbook with them. Defenders should treat this technique as an ecosystem-level pattern rather than Storm-1811-specific — the method has already been adopted by 3AM ransomware actors, STAC5143, and other clusters, and is likely to persist regardless of Black Basta's organizational fate.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile