MuddyWater's Deceptive Teams Campaign: Inside the False Flag Credential Heist

In early 2026, the Iranian state-sponsored hacking group MuddyWater—also tracked as Mango Sandstorm, Seedworm, and Static Kitten—orchestrated a sophisticated attack using Microsoft Teams. This operation, observed by cybersecurity firm Rapid7, combined social engineering tactics with a false flag ransomware narrative to steal credentials and sow confusion. Below, we answer key questions about how this attack unfolded and what it means for defenders.

What is MuddyWater and what was their recent attack?

MuddyWater is an Iranian state-sponsored threat actor that has been active since at least 2017. They typically target government, telecommunications, and oil and gas organizations in the Middle East, Europe, and North America. Their tools and methods often rely on social engineering to gain initial access. In the early 2026 attack observed by Rapid7, MuddyWater used Microsoft Teams to send malicious invitations or messages to employees. The attackers impersonated IT support or trusted colleagues, tricking victims into clicking links or granting remote access. Once inside, they deployed a fake ransomware payload and stole credentials, later using them for espionage. This attack was notable because the ransomware component was a false flag meant to mislead investigators and attribute the breach to a criminal ransomware gang rather than a nation-state.

How did MuddyWater use Microsoft Teams in the attack?

The attack chain began with MuddyWater sending a Microsoft Teams chat request to a target. The message appeared to come from a trusted source—such as an internal IT administrator or a vendor contact. Often, the attacker would even call the victim via Teams to add a layer of urgency, claiming there was a network issue that required immediate action. During the call, they convinced the victim to open a fake login page or download a remote access tool. This tool, like AnyDesk or a malicious script, gave the attackers control of the system. The use of Microsoft Teams was strategic because employees trust communication within the Microsoft ecosystem, and the platform allowed real-time persuasion. Rapid7 noted that the attackers even mimicked legitimate company profiles to avoid suspicion.

What is a false flag operation in this context?

A false flag operation occurs when an attacker deliberately makes an attack appear to have been carried out by another group. In this case, MuddyWater wanted their target to believe the intrusion was caused by a ransomware gang seeking financial gain, not by an Iranian intelligence agency. After stealing credentials, they deployed a fake ransomware that encrypted files but left a ransom note resembling known criminal groups like BlackCat or LockBit. The goal was to divert attention away from the actual data theft. By mimicking ransomware, MuddyWater hoped that incident responders would focus on paying the ransom or restoring backups rather than investigating the credential theft. This tactic also allowed the attackers to maintain long-term access for espionage, as the false flag gave them cover while they remained in the network.

What social engineering techniques were employed?

MuddyWater used a multi-step social engineering approach. First, they performed reconnaissance to identify employees with high-level network access, such as IT administrators or finance managers. Then they created fake Microsoft Teams accounts using corporate email domains that looked authentic—sometimes after compromising a low-level account. The attackers initiated a chat or call, using a friendly tone and technical jargon to build trust. They often claimed there was a security update required or a phishing alert that needed verification. During the call, they guided the victim to open a fake Microsoft authentication portal designed to capture credentials. Some victims were also directed to install a legitimate remote desktop tool that the attackers then used to move laterally. The combination of impersonation, urgency, and familiarity with corporate tools made the scheme highly convincing.

What were the objectives of the attack?

The primary objective was credential theft for long-term espionage. MuddyWater aimed to steal usernames and passwords that would grant access to sensitive systems—like email servers, HR databases, or classified documents. The fake ransomware was a distraction; the real prize was the authentication data. Once obtained, these credentials could be used to log in later, harvest more data, or deploy further malware. Because MuddyWater is linked to Iranian intelligence, the ultimate goal likely involved gathering intelligence on geopolitical matters, energy policies, or defense technologies. The false flag element also served to protect the attacker's identity, ensuring that if the breach was discovered, the investigation would point to a criminal ransomware group rather than a state actor. This reduces the risk of diplomatic fallout or retaliation.

How can organizations defend against such attacks?

Defending against this type of attack requires a combination of technical controls and user awareness. Organizations should enforce multi-factor authentication (MFA) on all Microsoft Teams and email accounts to make stolen credentials less useful. Training employees to verify unexpected Teams calls or chats via a separate communication channel—such as a direct phone call to the claimed sender—can disrupt social engineering. Additionally, security teams should monitor for the use of remote desktop tools like AnyDesk or TeamViewer from unusual IP addresses. Disabling external guest access in Teams by default reduces the attack surface. Finally, implementing endpoint detection and response (EDR) solutions can flag the behavior of remote tools being installed or files being encrypted. Regular tabletop exercises that simulate Teams-based phishing attacks prepare staff to respond skeptically. By combining these measures, organizations can reduce the chance of falling victim to MuddyWater’s tactics.