Microsoft warns of dangerous ‘BazaCall’ call centre ransomware scam
Human operators are tricking victims into manually downloading malware onto their systems


Ransomware operators are spreading BazaCall malware by tricking people into phoning fraudulent call centres and speaking with real humans, who provide step-by-step instructions on how to download a payload.
Attacks from BazaCall operators can move rapidly within a network, with hackers able to conduct extensive data exfiltration and credential theft, Microsoft has warned. They can even distribute ransomware within 48 hours of the initial compromise.
Apart from having backdoor capabilities, the BazaLoader payload also gives a remote attacker hands-on keyboard control for an affected user’s device.
“Our continued investigation into BazaCall campaigns, those that use fraudulent call [centres] that trick unsuspecting users into downloading the BazaLoader malware, shows that this threat is more dangerous than what’s been discussed publicly in other security blogs and covered by the media,” said the Microsoft 365 Defender Threat Intelligence Team.
“BazaCall campaigns forgo malicious links or attachments in email messages in [favour] of phone numbers that recipients are misled into calling. It’s a technique reminiscent of vishing and tech support scams where potential victims are being cold-called by the attacker, except in BazaCall’s case, targeted users must dial the number.”
When users are tricked into calling the number, they’re connected with actual humans on the other end of the line, who provide detailed guidance for installing malware on their devices.
The campaign relies on direct phone communication, as well as sophisticated social engineering tactics to succeed, but the tactic is proving difficult to prevent given the lack of obvious malicious techniques.
Get the ITPro daily newsletter
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
It starts with an email that uses various social engineering lures to trick victims into calling a number. This might include informing users about a trial that’s about to expire and that their card is set to be charged, asking them to phone the number provided in case they have any concerns. There are no attachments, links, or any other type of malicious call to action that would be spotted by a security filter.
Each message is sent from a different sender, normally through a free email service and compromised email addresses, with lures including fake business names that are similar to real companies.
Victims who do call the number will speak to a real person from a fraudulent call centre, whose aim is to direct the caller to visit a malicious website, disguised as a legitimate one. They’re asked to navigate to a page and download a file to cancel their subscription.
RELATED RESOURCE
These files are macro-enabled Excel documents, which might be flagged by Microsoft Defender SmartScreen, although Microsoft has observed users bypassing these warnings to download the files anyway, likely at the instruction of the hacker. Users are then prompted to enable editing, and enable macros, which triggers the BazaLoader malware to be delivered.
“The BazaCall campaign replaces links and attachments with phone numbers in the emails it sends out, posing challenges in detection, especially by traditional antispam and anti-phishing solutions that check for those malicious indicators,” the research team added.
“The lack of typical malicious elements in BazaCall’s emails and the speed with which their operators can conduct an attack exemplify the increasingly complex and evasive threats that [organisations] face today.”

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.
-
M&S suspends online sales as 'cyber incident' continues
News Marks & Spencer (M&S) has informed customers that all online and app sales have been suspended as the high street retailer battles a ‘cyber incident’.
By Ross Kelly
-
Manners cost nothing, unless you’re using ChatGPT
Opinion Polite users are costing OpenAI millions of dollars each year – but Ps and Qs are a small dent in what ChatGPT could cost the planet
By Ross Kelly
-
Ransomware attacks are rising — but quiet payouts could mean there's more than actually reported
News Ransomware attacks continue to climb, but they may be even higher than official figures show as companies choose to quietly pay to make such incidents go away.
By Nicole Kobie
-
Hackers are using Zoom’s remote control feature to infect devices with malware
News Security experts have issued an alert over a new social engineering campaign using Zoom’s remote control features to take over victim devices.
By Ross Kelly
-
State-sponsored cyber groups are flocking to the 'ClickFix' social engineering technique
News State-sponsored hackers from North Korea, Iran, and Russia are exploiting the ‘ClickFix’ social engineering technique for the first time – and to great success.
By Emma Woollacott
-
Cleo attack victim list grows as Hertz confirms customer data stolen – and security experts say it won't be the last
News Hertz has confirmed it suffered a data breach as a result of the Cleo zero-day vulnerability in late 2024, with the car rental giant warning that customer data was stolen.
By Ross Kelly
-
‘Phishing kits are a force multiplier': Cheap cyber crime kits can be bought on the dark web for less than $25 – and experts warn it’s lowering the barrier of entry for amateur hackers
News Research from NordVPN shows phishing kits are now widely available on the dark web and via messaging apps like Telegram, and are often selling for less than $25.
By Emma Woollacott
-
Healthcare systems are rife with exploits — and ransomware gangs have noticed
News Nearly nine-in-ten healthcare organizations have medical devices that are vulnerable to exploits, and ransomware groups are taking notice.
By Nicole Kobie
-
Have I Been Pwned owner Troy Hunt’s mailing list compromised in phishing attack
Troy Hunt, the security blogger behind data-breach site Have I Been Pwned, has fallen victim to a phishing attack targeting his email subscriber list.
By Jane McCallion
-
Alleged LockBit developer extradited to the US
News A Russian-Israeli man has been extradited to the US amid accusations of being a key LockBit ransomware developer.
By Emma Woollacott