## Iranian Cyber Unit MuddyWater Disguises Espionage Campaign as Ransomware Attack via Microsoft Teams
Security researchers at Rapid7 have identified what they believe to be an Iranian state-sponsored cyber unit reusing ransomware branding to conceal espionage operations targeting Western organizations. The campaign, observed earlier this year, involved actors operating under medium confidence attribution to MuddyWater, an Iranian threat group previously linked to intrusions affecting government and banking networks. The researchers noted that the operatives deliberately mimicked the Chaos ransomware gang's tactics, a technique known in the industry as 'false flag' operations designed to misdirect investigators and obscure the true origin of an attack.

The intrusion chain began with a Microsoft Teams phishing campaign, a relatively common initial access method. Attackers encouraged targeted employees to share their screens during conversations, a social engineering tactic that provided visibility into corporate environments. The operation escalated when threat actors convinced victims to enter their credentials into local text files and modify multi-factor authentication settings to permit authentication from attacker-controlled devices. According to Rapid7 researchers Alexandra Blia and Ivan Feigl, these steps enabled sustained access while appearing routine to security monitoring systems.

The campaign raises concerns about the effectiveness of Teams as an attack vector for state-sponsored groups seeking persistent access to sensitive networks. Organizations in government and financial sectors face elevated risk when threat actors combine convincing social engineering with legitimate platform features. Rapid7's attribution carries caveats due to the deliberate obfuscation employed, but the operational patterns align with MuddyWater's documented tradecraft. Security teams should scrutinize unexpected MFA modification requests and consider behavioral analytics to detect credential harvesting disguised as routine IT support.
---
- **Source**: The Register
- **Sector**: The Lab
- **Tags**: iran, cyber espionage, ransomware, microsoft teams, phishing
- **Credibility**: unverified
- **Published**: 2026-05-06 17:01:38
- **ID**: 79840
- **URL**: https://whisperx.ai/en/intel/79840