microsoft-teams - TrustStrike Labs

threat

2026-05-06

Iranian hackers used Microsoft Teams chat to social-engineer victims, then dressed up their espionage as a Chaos ransomware attack to throw off blame

Rapid7 disclosed an Iranian state-sponsored intrusion that disguised itself as a Chaos ransomware attack to mask the real goal: cyber-espionage. The threat actor (assessed with moderate confidence as MuddyWater, linked to Iran's Ministry of Intelligence and Security) initiated chat requests through Microsoft Teams, walked employees into screen-sharing sessions, then captured credentials and manipulated MFA prompts. Some victims were asked to type their passwords into local text files during the call. Persistence came from a custom backdoor (Game.exe) deployed alongside DWAgent, AnyDesk, and RDP. The fake ransomware note and Chaos leak-portal entry concealed the espionage.

muddywater mango-sandstorm seedworm static-kitten iran-mois chaos-ransomware false-flag microsoft-teams screen-sharing mfa-bypass rapid7 game-exe stagecomp darkcomp apt

Check: Search Microsoft Teams logs for external chat invitations from unknown Entra tenants since January. Hunt endpoints for DWAgent, AnyDesk, ms_upd.exe, or Game.exe processes installed without IT approval.
Affected: Organizations allowing external Microsoft Teams chats by default - the campaign starts with chat invitations from attacker-controlled tenants. Acute risk for sectors MuddyWater historically targets: government, defense, telecoms, energy, and Israeli organizations. The 'IT Support' impersonation pattern works against any helpdesk-heavy enterprise. Iranian APT activity has been increasing through early 2026.
Fix: Restrict external Microsoft Teams chat to allowlisted partner tenants only. Block external screen-sharing requests by default. Brief staff that real IT support never asks them to type passwords into local files or read out MFA codes during a Teams call. Block Rapid7's published Stagecomp/Darkcomp code-signing certificate at the EDR layer.

threat

2026-04-22

Mandiant outs UNC6692 running IT-helpdesk impersonation over Microsoft Teams to deploy custom SNOW malware suite

Google's Mandiant team published a report on April 22 naming UNC6692, a previously untracked threat cluster running a high-conversion social engineering playbook against senior enterprise staff - 77% of observed targets were senior employees between March 1 and April 1, 2026. The attack opens with an email bombing burst, flooding the victim's inbox with spam to create urgency. The operator then sends a Microsoft Teams chat invite from an external account, posing as internal IT help, and offers to fix the spam problem via a link to a convincing phishing page called 'Mailbox Repair and Sync Utility v2.1.5'. The page forces Microsoft Edge via the microsoft-edge: URI scheme, harvests credentials through a fake 'Health Check' button, and downloads an AutoHotkey script from attacker-controlled AWS S3 that installs the SNOW malware family: SNOWBELT (a malicious Edge/Chromium extension disguised as 'MS Heartbeat' that holds persistence through Scheduled Tasks and a Startup-folder shortcut), SNOWGLAZE (a Python WebSocket tunneler wrapping traffic in Base64-encoded JSON), and SNOWBASIN (a Python bindshell for interactive remote control). Post-exploitation includes LSASS dumps, Pass-the-Hash lateral movement, PsExec and RDP over the SNOWGLAZE tunnel, and exfil via LimeWire.

unc6692 snow snowbelt snowglaze snowbasin microsoft-teams email-bombing helpdesk-impersonation mandiant social-engineering

Check: Block external Microsoft Teams chat invites to staff who do not need external collaboration (this should be the default for most organizations) and brief senior staff this week that an IT-helpdesk message over Teams asking them to install a fix is almost certainly hostile.
Affected: Any organization using Microsoft Teams with federated/external chat enabled by default, especially those without a standing 'IT never messages you on Teams without a pre-existing ticket' policy. Senior employees are disproportionately targeted. Windows endpoints are the payload platform, but the human layer is the actual vulnerability.
Fix: In Teams Admin Center, restrict external access so that external users cannot initiate chats with internal staff - require an internal user to invite them first. Alert on AutoHotkey binary execution from any path, on unexpected Chromium/Edge extensions appearing under Scheduled Tasks or Startup folders (especially ones named 'Heartbeat'), and on new outbound WebSocket traffic to AWS S3, CloudFront, or Heroku-hosted endpoints from user endpoints. Run a targeted awareness push to senior staff: show them the 'Mailbox Repair Utility' lure screenshots, emphasize that IT will never ask them to run a 'local patch' over Teams, and give them a one-click way to report a suspicious Teams DM.

threat

2026-04-21

Microsoft warns of external Teams chats abused for helpdesk impersonation - 9-stage attack chain uses Quick Assist and Rclone for data theft

Microsoft Threat Intelligence is warning of a surge in attacks where threat actors pose as IT or helpdesk staff in external Microsoft Teams cross-tenant chats to trick employees into granting remote access - then use legitimate tools to steal data while blending into normal IT activity. The attack chain has nine stages. First, the attacker opens an external Teams chat claiming to be internal IT addressing an account issue. They talk the target into starting a Quick Assist remote support session, giving the attacker direct control of the machine. From there they do quick recon via Command Prompt and PowerShell, drop a small payload in user-writable locations like ProgramData, and execute it through DLL side-loading using a trusted signed application (Autodesk, Adobe Reader, Windows Error Reporting, or even data loss prevention software - any binary with a valid Microsoft-trusted signature). HTTPS C2 blends into normal outbound traffic. They establish persistence via Windows Registry, then use Windows Remote Management (WinRM) to move laterally to domain controllers and high-value assets. Final stage: Rclone exfiltrates filtered data to external cloud storage. Microsoft's detection guidance is blunt - this blends into legitimate admin activity and is hard to distinguish from routine IT support.

microsoft-teams social-engineering helpdesk-impersonation quick-assist rclone winrm dll-sideloading living-off-the-land

Check: Audit your Teams tenant configuration today. Do external users from unknown tenants have the ability to start chats with your employees? If yes, this attack vector is open.
Affected: Any organization using Microsoft Teams with external collaboration enabled, particularly with 'Anyone' or broad external access allowed. Non-technical staff who may not recognize the pattern of an external Teams contact impersonating IT. Environments where Quick Assist is not restricted and WinRM is widely enabled.
Fix: In Teams Admin Center, set External Access to allow only specific trusted domains (not 'Anyone'). Train staff to treat any external Teams contact claiming to be IT as hostile by default - legitimate internal IT does not chat from an external tenant. Restrict or audit Quick Assist: if you don't use it, disable it via GPO or Intune. Limit WinRM to specific admin jump boxes rather than allowing it across the domain. Monitor for Rclone execution (filename and parent process) - there's essentially no legitimate business reason for Rclone to run on endpoint machines. Flag any outbound HTTPS traffic from endpoints to consumer cloud storage domains (Mega, Dropbox, Google Drive) that doesn't match expected user behavior.