Former Black Basta Members Use Microsoft Teams and Python Scripts in 2025 Attacks Analysis Report

5W1H Analysis

Who

Former affiliates of the cybercriminal group Black Basta and their targets in the finance, insurance, and construction sectors are the key stakeholders involved.

What

The former members of Black Basta have launched cyberattacks using Microsoft Teams phishing, Python scripts, and cURL to penetrate the defences of targeted sectors.

When

The attacks were reported in June 2025.

Where

The affected sectors encompass organisations in North America and potentially other global markets closely linked to finance, insurance, and construction industries.

Why

The primary motivation behind these attacks is financial gain through ransomware, leveraging phishing to access sensitive corporate environments.

How

The perpetrators use spear-phishing campaigns via Microsoft Teams, a widely used communications platform, coupled with Python scripts and cURL (a command line tool to transfer data with URLs) to execute the attacks and extract data or deploy ransomware.

News Summary

Former affiliates of the notorious cybercriminal group Black Basta have resurfaced with a wave of sophisticated cyberattacks. They are using Microsoft Teams for phishing, alongside Python scripting and cURL, targeting the finance, insurance, and construction sectors. The attacks, reported in June 2025, highlight ongoing vulnerabilities in corporate cyber defences, driven by financial motivations.

6-Month Context Analysis

Over the past six months, the cyber threat landscape has seen a marked increase in ransomware and phishing tactics, particularly against sectors with lucrative data like finance and insurance. The resurgence of tactics involving legitimate communications platforms like Microsoft Teams has been observed as a trend to bypass conventional email-based security measures. This news fits into a broader pattern of escalating cyber threats leveraging new technologies for old tactics.

Future Trend Analysis

The use of legitimate communication platforms for phishing indicates a shift in cyberattack strategies, focusing on less expected vectors. Expectation of increased adoption of such tactics to exploit inherent trust in these platforms.

12-Month Outlook

Cybercriminals are likely to refine these techniques further, potentially targeting more industries or expanding globally. Security measures will need to adapt, focusing more on user training and behaviour analysis rather than solely on technological defences.

Key Indicators to Monitor

- Increased incidents of phishing via non-email platforms. - Changes in security protocols by major communication platform providers. - Evolution and adaptation in ransomware deployment tactics.

Scenario Analysis

Best Case Scenario

Organisations rapidly enhance their cybersecurity education and infrastructure, significantly mitigating the impact of phishing attacks through increased vigilance and improved security protocols.

Most Likely Scenario

Steady increase in similar attacks with sectors gradually improving defence mechanisms. Continued cat-and-mouse dynamic between attackers and cybersecurity experts.

Worst Case Scenario

A significant breach occurs causing substantial financial and reputational damage, leading to increased regulatory scrutiny and potential legislative responses.

Strategic Implications

Organisations must enhance worker education on cybersecurity threats and invest in more sophisticated, behaviour-based security solutions. Cross-sector collaborations could establish new standards in protecting digital communication channels.

Key Takeaways

  • The re-emergence of former Black Basta affiliates underscores the need for vigilance in adapting to new phishing methods.
  • Investment in employee training on cyber awareness should be a priority to counteract new attack vectors via platforms like Microsoft Teams.
  • Ransomware mechanisms are evolving with scripting tools like Python and cURL, presenting ongoing challenges.
  • Organisations in finance, insurance, and construction sectors should conduct in-depth security audits and penetration testing.
  • Monitoring and updating security protocols regularly can help stay ahead of evolving cyber threats.

Source: Former Black Basta Members Use Microsoft Teams and Python Scripts in 2025 Attacks