Microsoft Teams MFA Theft 2026: How MuddyWater Built a False Flag Operation
Your employees trust Microsoft Teams. They accept help desk requests on it, share screens through it, and follow IT instructions sent over it — because it is your organization's official communication platform. In early 2026, that trust became a weapon. The attack, observed by Rapid7 in early 2026, leveraged social engineering techniques via Microsoft Teams to initiate the infection sequence. The campaign was characterized by a high-touch social engineering phase conducted via Microsoft Teams, where the attackers utilized interactive screen-sharing to harvest credentials and manipulate multi-factor authentication, while disguising intelligence-gathering objectives behind the appearance of a financially motivated ransomware attack.
The threat actor behind this campaign was not a ransomware gang. It was a nation-state. And the ransomware was the decoy. Here is the full operational picture.
The False Flag: Chaos Ransomware as a Smokescreen
MuddyWater's Operational Cover
MuddyWater is an advanced persistent threat (APT) group affiliated with Iran's Ministry of Intelligence and Security. In this campaign, the group borrowed the branding of Chaos, a ransomware-as-a-service operation that emerged in February 2025 following law enforcement's disruption of the BlackSuit ransomware infrastructure during Operation Checkmate. Believed to include former BlackSuit and Royal ransomware members, Chaos specializes in big-game hunting attacks demanding ransoms of up to $300,000. However, in this incident, the ransomware branding was purely a cosmetic cover for something far more dangerous.
Once inside, the group bypassed traditional ransomware workflows, forgoing file encryption in favor of data exfiltration and long-term persistence via remote management tools like DWAgent.
The ransom demand was theater. The real objective was durable access to the victim's network — and the data exfiltration that preceded the theatrical ransomware deployment.
The Teams Attack Chain — Step by Step
The threat actor initiated external chat requests via Teams to engage with employees and obtain initial access through screen-sharing sessions, followed by using compromised user accounts to conduct reconnaissance, establish persistence using tools like DWAgent and AnyDesk, move laterally, and exfiltrate data.
Victims were explicitly instructed to type their credentials into locally created text files named credentials.txt and cred.txt, and to add attacker-controlled devices to their MFA configurations. Following the credential compromise, the threat actor authenticated to internal systems including Domain Controllers using the harvested accounts.
Table: MuddyWater Teams Attack Chain — MITRE ATT&CK Mapping
| Phase | Technique | MITRE ATT&CK |
|---|---|---|
| Initial Access | External Teams chat impersonating IT support | T1566.004 — Spearphishing via Service |
| Credential Theft | Screen-sharing session harvesting creds to .txt files | T1056 — Input Capture |
| MFA Manipulation | Attacker device added to victim's MFA configuration | T1556.006 — Modify Authentication Process |
| Persistence | DWAgent + AnyDesk remote management tools | T1219 — Remote Access Software |
| Lateral Movement | Domain Controller access via stolen credentials | T1078 — Valid Accounts |
| Exfiltration | Data staging and exfil before ransomware deployment | T1041 — Exfiltration Over C2 Channel |
Attribution Indicators and Actor Profile
Confirming MuddyWater Behind the Chaos Branding
The C2 domain moonzonet[.]com, used by ms_upd.exe, was also independently linked to MuddyWater activity in early 2026. Additional hallmarks include the group's characteristic use of pythonw.exe for code injection and their established "IT Support" persona on Microsoft Teams, a social engineering tactic observed in prior campaigns. The extortion emails and Chaos data-leak site listing appear designed to divert defenders' attention toward ransomware recovery procedures while the attackers quietly maintained long-term persistence through remote access tools.
This technique mirrors a broader trend of Teams-based social engineering that surged in 2026. Microsoft Defender Research documented a large-scale credential theft campaign in March 2026 that similarly exploited Teams' trusted environment to bypass traditional security controls.
Important: The absence of file encryption in a "ransomware" incident is the single most important behavioral anomaly to investigate. If a threat actor deploys ransomware artifacts but does not encrypt files, the ransomware is a distraction — and your actual breach scope is likely far wider than the presented extortion demand suggests.
Defending Against Teams-Based Social Engineering
Technical and Policy Controls
Organizations must immediately implement the following controls against Teams-based credential theft campaigns:
- Disable or restrict external Teams chat — configure your Teams tenant to block unsolicited external messages from unknown domains
- Enforce device compliance policies for MFA device registration — prevent attacker-controlled devices from being added to victim MFA profiles
- Enable Teams audit logging — all external chat requests, screen-sharing sessions, and file transfers must be logged and retained
- Alert on MFA device additions — any new authenticator device registration should trigger immediate security team notification
- Implement privileged access workstations — Domain Controller authentication must require hardware-bound credentials, not Teams-harvested passwords
Table: Microsoft Teams Security Controls vs MuddyWater TTPs
| Attack Technique | Defensive Control | Implementation |
|---|---|---|
| External chat impersonation | Block external Teams messages from unverified domains | Teams Admin Center — External Access policies |
| Screen-sharing credential harvest | Security awareness training on IT impersonation | Phishing simulation including Teams vectors |
| MFA device addition | Require IT-authorized device registration with manager approval | Azure AD — MFA registration policy |
| Persistent remote access (DWAgent) | Application allowlisting on endpoints | CIS Control 2 — Software Asset Management |
| Lateral movement to DCs | Privileged Access Workstations + tiered admin model | NIST SP 800-207 — Zero Trust Architecture |
Key Takeaways
- Treat all unsolicited external Teams messages as potential phishing — no legitimate IT team initiates credential requests via chat
- Alert immediately on MFA device registration events — attacker-controlled device addition is the persistence mechanism that survives password resets
- Investigate ransomware incidents for false flag indicators — missing file encryption despite ransomware artifacts signals intelligence-gathering operations
- Restrict external Teams access — configure your tenant to block messages from unverified external domains in Teams Admin Center
- Hunt for DWAgent and AnyDesk in your environment if Teams-based social engineering is suspected — these are MuddyWater's persistent access tools
- Audit Domain Controller authentication logs for logons from accounts that recently interacted with external Teams contacts
Conclusion
The MuddyWater Teams campaign of 2026 represents a sophisticated evolution of enterprise social engineering — weaponizing the most trusted collaboration platform in your organization to harvest credentials, manipulate MFA, and establish nation-state-level persistence while hiding behind a ransomware brand as cover. The lesson is not that Microsoft Teams is insecure — it is that trusted platforms are exactly what sophisticated threat actors target. Your employee security training must now explicitly include Teams-based IT impersonation scenarios. Your MFA registration policies must include approval gates. And your incident response playbooks must include false flag detection as a standard analytical step in every ransomware investigation. Start there.
Frequently Asked Questions
Q: Who is MuddyWater and why did they use Chaos ransomware branding? A: MuddyWater (also known as Seedworm) is an advanced persistent threat group affiliated with Iran's Ministry of Intelligence and Security (MOIS). They used Chaos ransomware branding as a false flag — deploying ransomware artifacts and making ransom demands to make the intrusion appear financially motivated and divert defenders toward ransomware recovery procedures while the real objectives of intelligence gathering and long-term persistence were pursued covertly.
Q: How did attackers manipulate MFA through Microsoft Teams? A: Attackers impersonating IT support staff conducted screen-sharing sessions with victims, instructing them to type credentials into text files and add attacker-controlled devices to their MFA configuration. This gave the attackers persistent authenticated access that survives subsequent password resets — because the attacker's device remains a registered MFA authenticator.
Q: What is the most important indicator that a "ransomware" incident is actually a false flag operation? A: The absence of file encryption despite the presence of ransomware artifacts, ransom notes, and data-leak site listings is the primary false flag indicator. In this campaign, MuddyWater deployed all the cosmetic elements of a Chaos ransomware attack but did not encrypt files — because the actual objective was data exfiltration and persistent access, not ransom payment.
Q: How should organizations configure Microsoft Teams to reduce this attack surface? A: Organizations should restrict external Teams communication to verified partner domains only, disable unsolicited external chat requests, require IT authorization for any new MFA device registrations, enable comprehensive Teams audit logging, and conduct security awareness training that specifically includes Teams-based IT impersonation scenarios.
Q: What compliance frameworks require controls against this type of social engineering attack? A: NIST SP 800-53 AC-17 (Remote Access), IA-5 (Authenticator Management), and SI-3 (Malicious Code Protection) directly apply. ISO 27001 Annex A.6.1 (Contact with Authorities) and A.7.2.2 (Information Security Awareness) require training against social engineering. MITRE ATT&CK technique T1566.004 (Spearphishing via Service) maps directly to this attack pattern and should be incorporated into purple team detection exercises.
Enjoyed this article?
Subscribe for more cybersecurity insights.