Bit-Wizards is advising organizations to be on alert for a fast-moving social engineering campaign that uses email bombing (inbox flooding to hide attacks) and Microsoft Teams impersonation to gain remote access to employee devices, sometimes in minutes, putting businesses at risk for operational disruption, data theft, and ransomware-driven downtime.

According to recent threat reporting from ReliaQuest, attackers assessed to be former Black Basta affiliates (cybercriminals suspected of the Ascension Florida facilities attack) are evolving familiar tactics into a highly repeatable, increasingly automated playbook.

ReliaQuest reported that 77% of observed incidents in March 2026 targeted senior leadership, up from 59% in January and February, and that in some cases attackers moved from initial contact to executing malicious scripts in as little as 12 minutes.

Who is most vulnerable

The highest risk is concentrated among:

  • Senior leaders (executives, managers, directors) who often have broad access and authority, and are frequently targeted
  • Organizations using Microsoft 365 and Teams, especially those with distributed workforces and high volumes of support requests
  • Manufacturing and professional, scientific, and technical services (PSTS) environments, where operational disruption can create pressure to act quickly
  • Companies without strict remote access controls, including environments where tools like remote monitoring and management (RMM) software or native utilities such as Quick Assist can be launched without tight restrictions

This is a speed-based attack chain that relies on human trust, not sophisticated malware. If your team is not prepared to verify support requests out of band and control which remote access tools can run, attackers can turn a moment of confusion into hands-on access very quickly.
Brian Schlechter, Director of IT

How Bit-Wizards helps prevent these attacks

Bit-Wizards emphasized that stopping these incidents requires both technical controls and clear procedures. That’s where its Managed IT Services can reduce risk by helping organizations:

  • Implement strict, multi-channel verification for any help desk request involving remote access (for example, a callback to a known internal number or a separate approval workflow)
  • Lock down remote access tools with allow-listing and policy-based controls so only approved tools, used only by authorized personnel, can run
  • Harden Microsoft 365 and Teams settings, including controls to reduce exposure to external messaging and impersonation attempts
  • Improve endpoint security and monitoring to detect unusual remote sessions, suspicious downloads, and rapid “inbox-to-remote-access” behavior patterns
  • Train high-value targets with realistic, role-specific simulations for executives and leadership teams so they know what legitimate support should look like under pressure

Bit-Wizards noted that organizations should treat an email bomb as an early warning signal and immediately increase scrutiny of any follow-up “IT support” outreach, especially requests that create urgency or attempt to bypass normal verification steps.

For businesses that want help assessing risk, tightening help desk procedures, or strengthening Microsoft 365 security and remote access controls, get in touch.