There you have it. Iranian state-sponsored hackers just got caught using Microsoft Teams — not ze…
May 7, 2026 · 0 likes · 0 comments
AI Cybersecurity
There you have it. Iranian state-sponsored hackers just got caught using Microsoft Teams — not zero-days, not malware, not some exotic exploit chain — to steal credentials and exfiltrate data from Israeli and Western organizations.
The group is called MuddyWater. They are directly linked to Iranian intelligence. Rapid7 caught them red-handed.
Here is how it works. They send Teams chat requests impersonating IT support. They convince employees to share their screens. They watch them type credentials into text files. Then they install remote access tools like AnyDesk and DWAgent, move laterally across the network, and quietly exfiltrate everything.
The ransomware? A false flag. They deployed a Chaos ransomware brand as cover — making it look like a criminal extortion operation while the real mission was state-sponsored espionage. They have done this before. In 2023, they used the DarkBit persona. In October 2025, they hit an Israeli government hospital with Qilin ransomware as a smokescreen.
Read that again. A nation-state intelligence operation is hiding behind criminal ransomware brands. No custom malware. No zero-days. Just your collaboration stack.
Every enterprise in the Western world treats Microsoft Teams like a trusted internal tool. It is not. It is an attack surface. An Iranian intelligence officer used it to watch your employee type their password into a text file on a shared screen.
Your MFA does not help when the attacker is on the screen telling your employee to approve the push notification. Your EDR does not help when the tools being deployed are legitimate remote management software. Your security awareness training did not prepare anyone for a state-sponsored actor live-coaching credential theft through a screen share.
Zero trust is not a buzzword anymore. It is the only architecture that survives this. If your collaboration tools implicitly trust external chat requests — you have already lost.
I have been warning about this for years. The perimeter is gone. The attack surface is whatever your employees use to communicate. And right now, that is Microsoft Teams.
Time to wake up.
The group is called MuddyWater. They are directly linked to Iranian intelligence. Rapid7 caught them red-handed.
Here is how it works. They send Teams chat requests impersonating IT support. They convince employees to share their screens. They watch them type credentials into text files. Then they install remote access tools like AnyDesk and DWAgent, move laterally across the network, and quietly exfiltrate everything.
The ransomware? A false flag. They deployed a Chaos ransomware brand as cover — making it look like a criminal extortion operation while the real mission was state-sponsored espionage. They have done this before. In 2023, they used the DarkBit persona. In October 2025, they hit an Israeli government hospital with Qilin ransomware as a smokescreen.
Read that again. A nation-state intelligence operation is hiding behind criminal ransomware brands. No custom malware. No zero-days. Just your collaboration stack.
Every enterprise in the Western world treats Microsoft Teams like a trusted internal tool. It is not. It is an attack surface. An Iranian intelligence officer used it to watch your employee type their password into a text file on a shared screen.
Your MFA does not help when the attacker is on the screen telling your employee to approve the push notification. Your EDR does not help when the tools being deployed are legitimate remote management software. Your security awareness training did not prepare anyone for a state-sponsored actor live-coaching credential theft through a screen share.
Zero trust is not a buzzword anymore. It is the only architecture that survives this. If your collaboration tools implicitly trust external chat requests — you have already lost.
I have been warning about this for years. The perimeter is gone. The attack surface is whatever your employees use to communicate. And right now, that is Microsoft Teams.
Time to wake up.