MuddyWater, the Iranian state-sponsored hacking group operating under Iran's Ministry of Intelligence and Security (MOIS), has been observed executing a sophisticated false flag ransomware campaign that uses Microsoft Teams as the entry point. The operation, detailed by Rapid7 researchers and reported by The Hacker News, reveals a deliberate deception strategy: conduct intelligence collection under the cover of a financially motivated ransomware attack.
The group used Teams-based social engineering to persuade employees to install legitimate remote management software, then systematically harvested credentials and exfiltrated data before deploying Chaos ransomware — leaving defenders scrambling over encryption while missing the deeper intrusion.
Attack Overview
The campaign unfolds in five clear phases:
1. Teams-Based Social Engineering
Attackers contact employees directly via Microsoft Teams, impersonating IT support staff or helpdesk personnel. The messages claim urgent action is needed — account security issues, compliance failures, or system maintenance. Because Teams messages arrive from within the apparent corporate environment, targets extend higher trust than they would to cold emails.
2. Remote Management Tool Installation
Targets are instructed to install one of several legitimate remote management tools:
- ScreenConnect (ConnectWise)
- AnyDesk
- SimpleHelp
- Level.io
These tools give attackers interactive remote sessions without dropping malicious binaries — dramatically reducing the chance of AV or EDR detection at this stage.
3. Credential Harvesting
Once inside via the remote session, the threat actor:
- Accesses LSASS to dump Active Directory credentials
- Pulls saved passwords from browser credential stores (Chrome, Edge, Firefox)
- Targets Windows Credential Manager entries
- Harvests Exchange/Outlook email account credentials
The harvested credentials enable lateral movement to servers, file shares, email archives, and cloud services.
4. Data Exfiltration (True Objective)
Before any ransomware is deployed, the attackers spend time identifying and exfiltrating intelligence-relevant data. MuddyWater's historical targeting suggests primary interest in:
- Government and defense communications
- Personnel databases and organizational charts
- VPN and remote access configurations
- Policy documents and strategic planning materials
5. Chaos Ransomware Deployment (Decoy)
With the espionage mission complete, the group deploys Chaos ransomware — a publicly available .NET-based ransomware builder — across the environment. This serves multiple strategic purposes:
| Purpose | Effect |
|---|---|
| Attribution confusion | Chaos is widely used by financially motivated actors; ties to nation-state are obscured |
| Incident response distraction | Defenders focus on restoring from backups instead of forensic investigation |
| Evidence destruction | File encryption overwrites metadata, complicating timeline reconstruction |
| False narrative | Victim and media frame the event as a ransomware attack, not state espionage |
Why Microsoft Teams?
The pivot to Teams as an attack vector reflects a deliberate adaptation to enterprise security improvements. Traditional spear-phishing faces:
- Enhanced email gateway filtering
- Attachment sandboxing
- User awareness training focused on suspicious emails
Microsoft Teams bypasses these controls entirely. Traffic is legitimate, the platform is trusted, and users are less trained to be suspicious of Teams messages requesting action. The channel also supports real-time back-and-forth that allows the attacker to overcome hesitation and answer objections — making social engineering significantly more effective.
MuddyWater Background
MuddyWater (also tracked as MERCURY, Seedworm, Boggy Serpent, and Static Kitten) has been active since at least 2017. The group primarily targets:
- Middle Eastern government ministries and defense contractors
- Telecommunications providers globally
- Critical infrastructure operators
- Think tanks with policy relevance to Iranian interests
The US Treasury sanctioned the group in 2022, and multiple joint advisories from CISA, the FBI, NSA, and allied intelligence services have documented their evolving tactics.
Defensive Recommendations
Restrict external Teams access. Configure Microsoft Teams to limit or require approval for external user communications. Log all external-initiated sessions.
Audit remote management tool installations. Only permit IT-approved tools from an explicit allowlist. Alert on installation of AnyDesk, ScreenConnect, SimpleHelp, and Level.io outside of change windows.
Do not close the incident after ransomware remediation. The ransomware component is the cover — treat the underlying credential theft and access as a separate, ongoing incident requiring full scope investigation.
Rotate all credentials after incident. Any environment where MuddyWater-style activity is suspected should treat all credentials — AD, cloud, VPN, service accounts — as compromised, not just the accounts confirmed in logs.
Enable Teams audit logging. Enable AuditLogs for Microsoft Teams in the Microsoft 365 Compliance Center. Review external contact initiation events, especially those leading to remote session requests.
Detection Signals
| Stage | Signal |
|---|---|
| Initial access | Teams messages from external or guest accounts requesting remote sessions |
| Tool installation | New remote management software not in approved list |
| Credential access | LSASS read access by non-system processes |
| Lateral movement | Anomalous admin logins; pass-the-hash/ticket events |
| Exfiltration | High-volume file access or data staging to compressed archives |
| Ransomware | VSS deletion commands; mass file rename or encryption activity |