MuddyWater Uses Microsoft Teams to Steal Credentials in False Flag Ransomware Attack

Iranian state-sponsored group MuddyWater exploited Microsoft Teams to harvest credentials and deploy ransomware in an operation designed to obscure its true attribution, according to Rapid7 researchers.

The threat actor, tracked under multiple aliases including Mango Sandstorm, Seedworm, and Static Kitten, used social engineering tactics within Microsoft Teams to trick users into executing malicious payloads. The campaign operates as a "false flag" attack, meaning MuddyWater deliberately crafted the operation to shift blame toward other threat actors or criminal groups.

Rapid7 identified the intrusions in early 2026. The infection chain begins with Teams-based social engineering, likely leveraging impersonation, malicious file sharing, or deceptive meeting invitations to compromise initial access. Once users engage with the attack vector, MuddyWater harvests credentials from affected systems before deploying ransomware as the final payload.

This technique reflects MuddyWater's evolution toward more sophisticated post-compromise activity. The credential theft phase allows operators to establish persistence and lateral movement across networks before deploying the ransomware component. The false flag element complicates incident response and attribution, potentially misleading defenders about the campaign's origin and ultimate objectives.

Organizations using Microsoft Teams face elevated risk. The platform's prevalence in enterprise environments and user familiarity with Teams-based communication make it an effective social engineering vector. Employees rarely question unexpected messages or file transfers from what appears to be trusted collaboration channels.

Defensive priorities include enforcing conditional access policies within Microsoft 365, implementing multi-factor authentication, restricting external sharing of Teams content, and training staff to verify requests through secondary channels before executing files or sharing credentials. Network monitoring should flag unusual Teams activity, particularly downloads of executables or suspicious linking patterns.

MuddyWater historically targets government agencies,