EXECUTIVE SUMMARY
Iranian state-sponsored threat actors linked to MuddyWater (also known as Seedworm) have been observed abusing Microsoft Teams as a phishing vector to steal enterprise credentials and manipulate MultiFactor Authentication (MFA). The activity was identified during a sophisticated intrusion campaign where the attackers concealed espionage operations behind the branding of the Chaos ransomware group to mimic financially motivated ransomware attacks and evade attribution.
Researchers identified the operation as a calculated false-flag campaign designed to disguise intelligencegathering objectives as conventional ransomware activity. Threat actors impersonated IT support personnel and trusted contacts through external Microsoft Teams communications, delivering phishing links and conducting social engineering attacks aimed at harvesting credentials and hijacking authenticated sessions.
- Active Region: Global
- Affected Sector: Enterprises, Financial Services, Healthcare, MSPs, Government, Education
- Affected Product: Microsoft 365, Microsoft Teams, Entra ID (Azure AD)
- Published Date: May 07, 2026
TECHNICAL DETAILS
This attack campaign abuses trusted collaboration workflows within Microsoft Teams and the authentication mechanisms of Microsoft 365 to conduct credential phishing and MFA bypass attacks. Threat actors leverage external Teams access, social engineering, and adversary-in-the-middle (AiTM) phishing frameworks to capture user credentials, authenticated session cookies, and MFA tokens, enabling unauthorized access to enterprise accounts without directly compromising the MFA mechanism itself.
- Target: Microsoft Teams external chat functionality, Microsoft 365 authentication workflows, Entra ID sign-in sessions, and user MFA approval processes.
- Root Cause: Abuse of trusted Microsoft Teams communication channels combined with user impersonation and AiTM phishing infrastructure enables attackers to harvest credentials and intercept authenticated session tokens. Weak controls around external collaboration……



