Iranian Hacker Group MuddyWater Exploits Microsoft Teams in Sophisticated False Flag Ransomware Campaign

Overview of the MuddyWater Campaign

In early 2026, cybersecurity researchers at Rapid7 identified a sophisticated ransomware attack attributed to the Iranian state-sponsored hacking collective known as MuddyWater. Operating under multiple aliases such as Mango Sandstorm, Seedworm, and Static Kitten, the group has historically focused on espionage and destructive operations. However, this latest incident marks a notable shift: the attackers executed a false flag ransomware attack, deliberately mimicking the tactics of other cybercriminal groups to obscure attribution while stealing credentials via social engineering.

The attack chain uniquely leveraged Microsoft Teams as the initial infection vector, a method not previously associated with MuddyWater. This technique highlights the group's evolving capabilities and willingness to exploit trusted collaboration platforms for credential theft and subsequent ransomware deployment.

The Attack Vector: Social Engineering via Microsoft Teams

MuddyWater operators initiated the attack by sending seemingly legitimate Microsoft Teams meeting invitations to targeted employees. The messages were crafted to appear as internal calendar requests or urgent security updates, often referencing ongoing organizational changes or system upgrades. Once a recipient accepted the invitation, they were directed to a fake authentication page hosted on a compromised external domain.

This page mimicked the genuine Microsoft 365 login interface, complete with pre-filled email addresses and animated loading screens. Victims who entered their credentials were unknowingly surrendering their Azure Active Directory login details to the attackers. The phishing site then redirected victims to a legitimate Teams meeting that had been pre-recorded or was hosted by a compromised account, further reducing suspicion.

Technical Analysis of the Phishing Kit

Rapid7's forensic analysis revealed that the phishing infrastructure was remarkably sophisticated. The fake authentication page dynamically updated to reflect the victim's tenant branding and included real-time validation against Microsoft's API, ensuring only valid organization users could proceed. This made the attack exceptionally difficult to detect by conventional email security filters. The collected credentials were immediately used to authenticate to the victim's Exchange Online and SharePoint, enabling lateral movement within the network.

False Flag Tactics: Framing Ransomware Gangs

What distinguishes this campaign is MuddyWater's deliberate use of false flag techniques. After gaining initial access and establishing persistence, the attackers deployed ransomware that bore the signatures of well-known criminal groups such as LockBit and BlackCat. The ransom notes used language and formatting typical of these groups, including links to their alleged leak sites.

However, several anomalies tipped off investigators. The encryption algorithm used was custom, not matching the known variants. The ransomware binary also contained code artifacts that matched previous MuddyWater espionage tools, such as PowerShell backdoors and credential dumpers. This suggests the operation was designed to implicate rival criminal groups while MuddyWater reaped the benefits: intelligence gathered from compromised systems and potentially financial ransom payments.

Implications for Cybersecurity Teams

This incident underscores the growing sophistication of state-linked threat actors and their willingness to adopt false flag operations. The use of Microsoft Teams as a vector highlights the need for organizations to extend security awareness training beyond email to include collaboration platforms. Key defensive measures include:

• Multi-factor authentication (MFA) for all Teams and Office 365 accounts, especially those with administrative privileges.
• Enforcing conditional access policies that flag suspicious authentication attempts from unfamiliar IPs or devices.
• Regular review of external sharing permissions and third-party app integrations within Teams.
• Implementing advanced phishing detection that scans Teams invitations for known malicious domains or unusual redirect patterns.

Additional Indicators of Compromise

Security teams should monitor for the following signs of MuddyWater activity:

1. Unexpected Teams meeting invitations from external accounts or recently compromised internal users.
2. Failed login attempts followed by successful authentications from geographically distant IPs.
3. Presence of suspicious PowerShell scripts scheduled as tasks, often using obfuscated command lines.
4. Unusual network traffic to cloud storage services (e.g., pCloud, Mega) used for exfiltration.

Conclusion and Long-Term Outlook

The MuddyWater false flag ransomware operation represents a dangerous evolution in state-sponsored cyber operations. By blending espionage with criminal moneymaking and misattribution, the group creates confusion that hampers threat intelligence and law enforcement responses. Organizations must update incident response plans to consider the possibility of false flags and invest in platform-specific security for collaboration tools like Microsoft Teams and Slack.

Rapid7 has published full technical indicators and suggested YARA rules for detection. As this campaign demonstrates, no communication channel is safe from exploitation—vigilance across all digital touchpoints is essential.

For more context on MuddyWater's history, see our previous article on Iranian State-Sponsored Groups.