Officials from Microsoft Security Intelligence said in a Twitter thread that they are tracking an active BazaCall malware campaign that leads to ransomware deployment.
The BazaCall campaign send out emails instructing recipients to contact a phone number to cancel a fake service membership. When victims dial the number, they are connected to a bogus call center run by the attackers, who instruct them to go to a website and download an Excel file to terminate the subscription. The payload is downloaded using a malicious macro in this file.
Microsoft identified attackers using Cobalt Strike in this attack and reports that they stole credentials — including the Active Directory database — and used rclone to exfiltrate data.
To Read More: darkreading