# Iranian State Hackers Use Microsoft Teams False Flag Attack to Steal Credentials


In a sophisticated social engineering campaign discovered in early 2026, the Iranian state-sponsored group MuddyWater has deployed a deceptive ransomware operation that leverages Microsoft Teams to steal credentials from target organizations. The attack, analyzed by Rapid7 researchers, represents a significant escalation in the group's tactics—combining credential harvesting with deliberate misdirection designed to obscure attribution.


## The Threat: A False Flag Operation with High Stakes


MuddyWater, also known by aliases including Mango Sandstorm, Seedworm, and Static Kitten, has long been recognized as a highly capable Iranian state-sponsored advanced persistent threat (APT) group. What distinguishes this campaign is its deliberate false flag nature: the attackers crafted the ransomware infection to appear as though it originated from a different threat actor, complicating attribution and potentially triggering defensive responses against the wrong adversary.


The attack chain begins with social engineering via Microsoft Teams, where targets receive seemingly legitimate messages from internal or trusted contacts. These messages contain malicious links or attachments designed to harvest Active Directory credentials. Once stolen, these credentials serve as the entry point for ransomware deployment—but the ransomware payload is deliberately configured to mask the true identity of the operators.


## Background: MuddyWater's Evolution as a Threat


MuddyWater emerged in 2016 as one of Iran's most versatile cyber operations groups. Over the past decade, the group has demonstrated sophisticated capabilities spanning espionage, destructive attacks, and financial operations targeting government agencies, telecommunications companies, energy infrastructure, and critical manufacturing across the Middle East, Europe, and North America.


The group's operational profile includes:


  • Primary targets: Government agencies, telecommunications providers, energy utilities, and regional governments
  • Attack sophistication: Custom malware development, living-off-the-land techniques, and advanced persistence mechanisms
  • Geographic scope: Operations across EMEA (Europe, Middle East, and Africa) regions with secondary focus on North America
  • Attribution confidence: High-confidence attribution by U.S. Cyber Command, NSA, CISA, and multiple private sector security firms

    • MuddyWater's signature tactics have evolved considerably. Early campaigns relied on spear-phishing and custom loaders like SEEDWORM and POWERSTATS. More recent operations show increasing adoption of commercially available software for legitimate purposes—so-called "living-off-the-land" techniques—to reduce detection signatures and complicate forensic analysis.


    ## The False Flag Deception: Why Attribution Matters


    The false flag component of this campaign represents a notable strategic shift. Rather than attempting to hide entirely, MuddyWater deliberately configured the ransomware payload to appear as though a different threat actor had deployed it. This technique serves multiple operational objectives:


    1. Attribution deflection: Investigators focusing on the incorrect threat actor consume resources and may implement misaligned defensive countermeasures

    2. Geopolitical plausible deniability: If the attack is attributed to another nation-state or criminal group, it creates diplomatic ambiguity

    3. Increased victim impact: Organizations defending against the wrong adversary may overlook genuine attacker infrastructure and persistence mechanisms


    Rapid7's analysis identified several indicators that revealed the true origins of the campaign, though many organizations discovering the malware themselves might initially accept the false flag attribution at face value.


    ## Technical Details: The Attack Chain


    The infection sequence identified by Rapid7 researchers follows this pattern:


    Stage 1: Social Engineering via Microsoft Teams

    Targets receive messages on Microsoft Teams from accounts spoofing internal employees or trusted partners. The messages appear contextually relevant—referencing recent projects, urgent security updates, or compliance requirements. This initial contact establishes credibility and encourages the target to click embedded links or download attachments.


    Stage 2: Credential Harvesting

    Malicious links direct victims to credential harvesting pages mimicking legitimate Microsoft or organizational login portals. The fake login forms capture Active Directory credentials, which attackers immediately validate against target environments. Some variants included attachments containing macro-enabled Office documents that, when opened, execute credential-stealing code.


    Stage 3: Lateral Movement and Persistence

    Using harvested credentials, attackers establish access to the target environment. Rapid7 identified the use of legitimate remote access tools—including legitimate commercial software frequently used by IT teams—to move laterally across network segments and establish persistence across multiple systems.


    Stage 4: Ransomware Deployment with False Flag

    The final stage involves deploying ransomware payloads configured with distinctive marks, ransom notes, and file extensions attributed to other known ransomware families. The encryption process and ransom demands deliberately mirror the style of different threat actors, reinforcing the false flag narrative.


    ## Why Microsoft Teams Was the Attack Vector


    Microsoft Teams has become a ubiquitous collaboration platform in enterprise environments, with over 300 million monthly active users. Several factors make Teams an effective social engineering vector:


  • Trusted communication channel: Teams is a legitimate business tool with inherent user trust
  • Difficult to distinguish spoofed contacts: External or compromised accounts can send messages that appear to originate from internal colleagues
  • Limited message inspection: Many organizations lack granular monitoring of Teams message content and link behavior
  • Cross-platform accessibility: Teams messages can be accessed from mobile devices, potentially bypassing organizational endpoint protection
  • Integration with file sharing: Teams' tight integration with SharePoint and OneDrive allows distribution of malicious documents with built-in trust

    • ## Implications for Organizations


    This campaign carries significant implications for enterprise security strategies:


    Credential theft remains the highest-impact initial access vector. Regardless of how sophisticated ransomware payloads become, attackers continue to prioritize credential harvesting as the most reliable path to target environments. Organizations should recognize that strong access controls represent the primary line of defense.


    Collaboration platforms require security monitoring. Microsoft Teams, Slack, and similar platforms are increasingly targeted but frequently lack the same logging, content inspection, and threat detection capabilities applied to email. This represents a notable gap in most organizations' security monitoring programs.


    False flags complicate incident response. When attackers deliberately obscure their identity, it not only affects long-term attribution—it directly impacts the victim's immediate response. Organizations may implement the wrong containment strategies, enabling attackers to maintain persistence even after ransomware removal.


    ## Recommendations and Defense Strategies


    Organizations should implement or review the following security controls:


    | Control | Implementation | Rationale |

    |---------|---|---|

    | MFA enforcement | Require multi-factor authentication on all accounts | Stolen credentials alone cannot grant access |

    | Teams monitoring | Deploy security tools that inspect Teams messages and file sharing | Detect malicious links and malware distribution in real-time |

    | Credential validation | Implement conditional access policies checking login location, device, and behavior | Detect credential use from suspicious sources |

    | User awareness training | Regular training focused on social engineering across all collaboration platforms | Recognize spoofed contacts and suspicious requests |

    | Network segmentation | Isolate critical systems from general user networks | Limit lateral movement after initial compromise |

    | EDR deployment | Deploy endpoint detection and response tools with behavioral analysis | Detect malicious process execution regardless of obfuscation |


    Additionally, organizations should:

  • Audit Teams external sharing policies and restrict guest access where possible
  • Monitor for unusual administrative activities from harvested credentials
  • Implement ransomware-specific detection including encryption behavior monitoring
  • Maintain offline backups of critical data to enable recovery without paying extortion

    • ## Conclusion


    MuddyWater's use of Microsoft Teams for credential theft, combined with deliberately deceptive ransomware configuration, demonstrates the group's continued evolution toward more sophisticated social engineering and attribution evasion techniques. The campaign underscores a critical reality: state-sponsored threat actors are not primarily constrained by detection signature sophistication—they succeed through exploiting trusted communication channels, social psychology, and the fundamental weakness of stolen credentials.


    Organizations that prioritize credential protection, apply strong multi-factor authentication, and extend security monitoring to collaboration platforms will substantially raise the cost and reduce the likelihood of successful compromise from this and similar campaigns.