ReliaQuest attributed the campaign to former Black Basta affiliates, whose parent organization was disrupted in February 2025 after internal chats leaked. The firm documented over 100 employees across dozens of organizations compromised since May 2025, with March 2026 showing a sharp escalation: 77 percent of incidents that month targeted senior leadership, up from 59 percent earlier in the year. No specific victim companies have been publicly identified. The attackers compressed their entire process—from initial contact to full system access—into approximately 12 minutes, with individual messages sent just 29 seconds apart.
Organizations should treat this campaign as a direct threat to executive security protocols. The speed and automation of these attacks significantly reduce defender response windows. Legal and compliance teams should prioritize immediate C-suite training on email bombing tactics, verification procedures for unexpected Teams communications, and credential hygiene. Given the targeting of leadership roles, firms should review access controls for high-privilege accounts and consider whether current incident response procedures account for attacks designed to succeed in minutes rather than hours.