MuddyWater APT Uses Microsoft Teams in Credential Theft Attack

The Iranian state-sponsored threat actor MuddyWater, also tracked as Mango Sandstorm, Seedworm, and Static Kitten, has been linked to a sophisticated cyberattack that leveraged Microsoft Teams to conduct credential harvesting operations. The campaign, which initially presented itself as a ransomware incident, has been identified as a false flag operation designed to obscure the true intent of the intrusion and misattribution efforts. Security researchers have attributed this activity to Iran's Ministry of Intelligence and Security (MOIS), continuing the group's pattern of using deception techniques to complicate investigation efforts.

The attack vector involved the abuse of Microsoft Teams' external tenant access functionality, which allowed the threat actors to create fake external user accounts and initiate conversations with targeted employees within victim organizations. Through social engineering techniques, the attackers convinced victims to approve external tenant access, subsequently deploying malicious applications disguised as legitimate productivity tools. Once installed, these applications harvested authentication tokens and session credentials, providing the operators with persistent access to corporate email accounts, SharePoint repositories, and other Microsoft 365 services.

Technical analysis revealed that the purported ransomware payload was actually a wiper component designed to encrypt data selectively while leaving enough systems functional to avoid immediate detection. This methodology aligns with MuddyWater's historical preference for espionage-oriented operations rather than financial extortion. The group utilized custom malware referred to as 'SimpleHarm' and 'BOMB',' which exhibited capabilities for lateral movement, data exfiltration, and maintaining persistence within compromised environments through scheduled tasks and registry modifications.

Organizations are advised to implement conditional access policies for external Microsoft Teams communications, disable the ability for external tenants to initiate contact, and enforce multi-factor authentication across all identity vectors. Security teams should monitor for anomalous Teams activity patterns, particularly unauthorized application installations and unusual data access behaviors that may indicate credential-based compromise. This campaign underscores the evolving tactics of nation-state actors who increasingly leverage legitimate cloud services as initial access vectors while maintaining plausible deniability through false flag operations.