Iran-Linked Hackers Use Teams to Pose as IT Support

An employee gets a Microsoft Teams chat from someone claiming to be IT. Within minutes, that employee has typed their password into a text file on their own desktop, added an attacker-controlled phone to their MFA, and handed over the keys to a domain controller. That is the playbook a state-linked Iranian group has been running against U.S. and Middle Eastern organizations in early 2026, according to a Rapid7 report published May 6.

What happened

Rapid7 incident responders were called into what looked like a routine Chaos ransomware attack. Forensic analysis told a different story. The intrusion is now assessed with moderate confidence as the work of MuddyWater, an Iranian Advanced Persistent Threat group affiliated with the Ministry of Intelligence and Security, also tracked under the names Seedworm, Mango Sandstorm, and Static Kitten.

The attackers initiated contact through external Microsoft Teams chat requests. Once an employee accepted, the attacker started a screen-sharing session and began running discovery commands on the user's machine. The next step was the most striking part of the campaign. The attacker walked the employee through typing credentials into a text file on the local desktop, then directed the employee to add an attacker-controlled device to the company's MFA. From there, the attackers moved to legitimate accounts, compromised a domain controller over RDP, and installed the remote management tools DWAgent and AnyDesk for persistence. Data was exfiltrated, and the attackers later sent ransom emails pointing to the Chaos data-leak site.

Rapid7 attributes the activity to MuddyWater based on a code-signing certificate (“Donald Gay”) tied to past MuddyWater tooling, overlapping command-and-control infrastructure, and the group's signature use of a renamed Python interpreter for execution. Chaos itself is a real ransomware-as-a-service crew that emerged in 2025 and had claimed roughly 36 victims by late March 2026, mostly in U.S. construction, manufacturing, and business services.

Why this matters for your business

Most defenders treat Microsoft Teams as an internal channel. It isn't. By default, Teams allows external chat from other Microsoft 365 tenants, which means an attacker with any Teams license can initiate a one-on-one chat with your staff and look like a normal external collaborator. Most employees have never been trained to recognize a Teams-based phishing attempt the way they have been trained to recognize a suspicious email.

There are three immediate business consequences worth understanding. First, MFA is no longer a finish line. Once an attacker is on a screen-share, they can talk a user through approving a push, registering a new device, or recovering an account. The MFA still works as designed; the human is the bypass. Second, the line between a state-linked intrusion and a financially motivated ransomware case has blurred to the point that initial response decisions can go badly wrong. An incident response team chasing extortion may miss the espionage. Third, this attack chain leans heavily on legitimate remote management software — DWAgent, AnyDesk, Quick Assist — which most endpoint tools allow by default. If you don't know which remote tools live on which machines, you can't tell intrusion from IT routine.

Picture a 250-person manufacturer with a busy help desk and a Microsoft 365 tenant set up the way it shipped. An external chat lands on a Friday afternoon, the user is mid-task, and the “IT” person on the other end is helpful and patient. By Monday, an attacker has had three days inside the network. That isn't a fictional scenario — it's the shape of the campaign Rapid7 documented.

How the attackers got in

The full intrusion chain was built around a single hinge: getting an employee to share their screen with a stranger over Teams. After that, the attackers ran ipconfig, whoami, and a handful of other commands to map the host, pulled VPN configuration files, and pointed the user at a phishing page styled like Microsoft Quick Assist. They had the employee write credentials into local text files named credentials.txt and cred.txt, then guided them through registering an attacker-owned device for MFA.

From there it was a standard intrusion. Compromised accounts authenticated to the domain controller. RDP sessions opened the network. The attackers downloaded a custom downloader (ms_upd.exe), which retrieved a custom backdoor (Game.exe) masquerading as a Microsoft WebView2 sample app. The backdoor talks to its command-and-control server every 60 seconds and accepts twelve commands, including arbitrary PowerShell and chunked file uploads. Conspicuously absent: any encryption activity. The Chaos branding showed up in extortion emails and on the leak site, but the file encryptor never ran.

Why the “ransomware” was a smokescreen

Rapid7's most consequential finding for defenders is the false-flag pattern. The attackers used the visible behavior of a ransomware crew — extortion email, leak site listing, blind countdown timer — to direct the victim's response toward a financially motivated playbook. Legal and PR engage early. The forensic team focuses on the encryption blast radius. Negotiation specialists are pulled in. Meanwhile, the persistence mechanisms (DWAgent, AnyDesk, the Game.exe backdoor with its 60-second beacon) sit quietly on the network.

That is the harder problem this story exposes. State-linked groups are deliberately borrowing cybercriminal branding to slow down attribution and steer the response. If the only thing your incident response plan is built for is “ransomware,” you may be solving the wrong problem.

What to do this week

None of the actions below require a major project. They require an owner and a deadline.

Restrict inbound Teams chats from external tenants

In the Microsoft Teams admin center, review your external access settings. The safest default for most organizations is to disable open federation and instead allow chat only with named partner tenants. If business needs make that impossible, at minimum disable anonymous user join, restrict who can be contacted from outside, and require that external chats present a clear visual warning to the recipient. Train staff to treat any unsolicited external Teams chat the same way they would treat an unsolicited phone call from “IT” — verify through a known channel before doing anything else.

Lock down MFA enrollment

This campaign succeeded because users were able to add an attacker-owned device to their own MFA. Review your conditional access and identity protection policies. Require strong identity verification for new MFA registrations — ideally a privileged session, a Temporary Access Pass, or a help desk callback to a known number. Flag any MFA registration from an unusual location or device for review. Where possible, move toward phishing-resistant authentication (FIDO2 keys, certificate-based auth, or Windows Hello for Business) for administrators and any role with access to sensitive data.

Audit remote access tools on the network

DWAgent, AnyDesk, Quick Assist, ScreenConnect, TeamViewer, Splashtop — if you don't have an inventory of which remote management tools are sanctioned, where they're installed, and who is allowed to use them, you cannot detect the abuse pattern in this report. A simple application allow-list combined with an EDR rule that alerts on first-time installation of a remote management tool catches most of the unauthorized cases. CISA published guidance on this exact pattern in its 2023 advisory on living-off-the-land techniques and updated it in 2025; it remains one of the highest-leverage hardening steps available.

The bottom line

The MuddyWater campaign is a useful reminder that the attack surface includes the collaboration tools your business considers internal. It's also a reminder that ransomware can be costume rather than objective. For most small and mid-market businesses, the practical response is unglamorous: tighten Teams external access, harden MFA enrollment, and inventory the remote tools on your endpoints. Those three steps would have broken the chain Rapid7 documented, and they will break the next one too.

If you're not sure whether your organization is exposed to this kind of social engineering, Purple Shield Security can help. Our team runs vCISO services as well as fractional CISO services and risk assessment engagements for small and mid-market companies and regulated businesses across the U.S. Reach out for a conversation about your current exposure and where to start.