Published on May 7, 2026
Hackers Exploit Microsoft Teams to Steal Credentials and Bypass MFA
Severity
High
Detail
Iranian state-sponsored threat actors linked to MuddyWater (also known as Seedworm) have been observed exploiting Microsoft Teams to conduct targeted credential theft and MFA bypass attacks while disguising their activity as a Chaos ransomware operation. Researchers discovered that the attackers used the Chaos ransomware brand as a false flag to hide espionage-focused objectives behind the appearance of a financially motivated ransomware attack. MuddyWater is a known advanced persistent threat (APT) group associated with Iran’s Ministry of Intelligence and Security (MOIS).
The campaign primarily targeted organizations through social engineering conducted over Microsoft Teams. Attackers impersonated IT support personnel and manipulated victims into sharing credentials and granting unauthorized MFA access. Once access was obtained, the threat actors established persistent remote access, moved laterally within the network, and deployed remote management tools including DWAgent and AnyDesk. The attackers also deployed a custom Remote Access Trojan (RAT) named Game.exe, capable of executing commands, uploading files, managing PowerShell and command shell sessions, and maintaining long-term access to compromised systems.
Unlike traditional ransomware attacks, the operation did not focus on encryption or financial extortion. Instead, the ransomware branding was used to distract defenders while attackers conducted espionage and maintained stealthy persistence inside targeted environments. Successful compromise may result in credential theft, unauthorized remote access, MFA bypass, lateral movement, domain controller compromise, and long-term persistence within enterprise networks.
How?
The attack begins with threat actors sending external Microsoft Teams chat requests to employees while impersonating IT support personnel. Once communication is established, the attackers initiate screen-sharing sessions to gain visibility into victim systems. Victims are then instructed to enter their credentials into local text files such as credentials[.]txt and cred[.]txt.
The attackers also persuade users to add attacker-controlled devices to their MFA configurations, effectively bypassing multi-factor authentication protections and establishing persistent authenticated access. In some cases, victims are redirected to a phishing page impersonating Microsoft Quick Assist at hxxps[://]adm-pulse[.]com/verify.php
After obtaining valid credentials and MFA access, the threat actors authenticate to internal systems, including domain controllers, and establish persistence through Remote Desktop Protocol (RDP) sessions. They then deploy legitimate remote management tools such as DWAgent and AnyDesk to maintain remote access and move laterally within the network.
The attackers also deploy a multi-stage malware chain. A downloader named ms_upd[.]exe retrieves additional malicious components including WebView2Loader[.]dll, visualwincomp[.]txt, and Game[.]exe, a custom Remote Access Trojan (RAT). The RAT communicates with attacker-controlled command-and-control (C2) infrastructure over port 443 and supports command execution, file management, PowerShell interaction, and anti-analysis techniques such as sandbox and virtual machine detection.
Conclusion
This campaign demonstrates how state-sponsored threat actors are increasingly combining social engineering, legitimate collaboration platforms, and ransomware branding to conduct stealthy espionage operations. By abusing Microsoft Teams and manipulating MFA enrollment processes, attackers were able to bypass security controls and gain persistent access without relying on traditional malware delivery methods alone.
The use of legitimate remote administration tools, phishing infrastructure, and custom RAT malware highlights the growing sophistication of modern APT campaigns. Organizations should closely monitor external Microsoft Teams interactions, MFA changes, suspicious RDP activity, and unauthorized remote management tool deployments to reduce the risk of compromise and long-term persistence.
Source
https://cyberpress.org/hackers-exploit-microsoft-teams-to-steal-credentials-and-bypass-mfa/