TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

GBHackers

Cybercriminals Exploit Microsoft Teams to Phish Login Credentials and Bypass MFA

Divya · 4 hours ago · Read original ↗

ATT&CK techniques detected

14 predictions
T1486Data Encrypted for Impact
85%
"##ted microsoft teams messages from external accounts with extreme caution, particularly those requesting screen sharing or credential input. defenders should monitor for unexpected deployment of dwagent, anydesk, or similar remote management tools, and watch for unusual rdp acti…"
T1566.004Spearphishing Voice
84%
"security ( mois ). cybercriminals exploit microsoft teams the attack began with targeted social engineering via microsoft teams, where the threat actor sent external chat requests to employees. during these interactions, attackers initiated screen - sharing sessions to gain direc…"
T1078Valid Accounts
72%
"security ( mois ). cybercriminals exploit microsoft teams the attack began with targeted social engineering via microsoft teams, where the threat actor sent external chat requests to employees. during these interactions, attackers initiated screen - sharing sessions to gain direc…"
T1486Data Encrypted for Impact
72%
"’ s toolkit, previously tied to “ operation olalampo ”, a campaign targeting organizations in the u. s. and mena regions. the c2 domain moonzonet [. ] com, used by ms _ upd. exe, was separately linked to muddywater activity in early 2026. additional attribution indicators include…"
T1059.001PowerShell
70%
". exe rat the attackers deployed a multi - stage malware chain. a downloader called ms _ upd. exe was fetched via curl from a remote ip and executed on compromised machines. this dropper then retrieved three components : webview2loader. dll ( a legitimate dll ), game. exe ( a cus…"
T1657Financial Theft
46%
"cybercriminals exploit microsoft teams to phish login credentials and bypass mfa iranian state - sponsored threat actors linked to muddywater ( seedworm ) have been caught hiding behind the chaos ransomware brand to conduct sophisticated espionage operations, using microsoft team…"
T1105Ingress Tool Transfer
45%
". exe rat the attackers deployed a multi - stage malware chain. a downloader called ms _ upd. exe was fetched via curl from a remote ip and executed on compromised machines. this dropper then retrieved three components : webview2loader. dll ( a legitimate dll ), game. exe ( a cus…"
T1218.011Rundll32
44%
". exe rat the attackers deployed a multi - stage malware chain. a downloader called ms _ upd. exe was fetched via curl from a remote ip and executed on compromised machines. this dropper then retrieved three components : webview2loader. dll ( a legitimate dll ), game. exe ( a cus…"
T1080Taint Shared Content
43%
"##ted microsoft teams messages from external accounts with extreme caution, particularly those requesting screen sharing or credential input. defenders should monitor for unexpected deployment of dwagent, anydesk, or similar remote management tools, and watch for unusual rdp acti…"
T1598.004Spearphishing Voice
38%
"security ( mois ). cybercriminals exploit microsoft teams the attack began with targeted social engineering via microsoft teams, where the threat actor sent external chat requests to employees. during these interactions, attackers initiated screen - sharing sessions to gain direc…"
T1021.001Remote Desktop Protocol
37%
"##ted microsoft teams messages from external accounts with extreme caution, particularly those requesting screen sharing or credential input. defenders should monitor for unexpected deployment of dwagent, anydesk, or similar remote management tools, and watch for unusual rdp acti…"
T1071.001Web Protocols
35%
". exe rat the attackers deployed a multi - stage malware chain. a downloader called ms _ upd. exe was fetched via curl from a remote ip and executed on compromised machines. this dropper then retrieved three components : webview2loader. dll ( a legitimate dll ), game. exe ( a cus…"
T1566Phishing
32%
"cybercriminals exploit microsoft teams to phish login credentials and bypass mfa iranian state - sponsored threat actors linked to muddywater ( seedworm ) have been caught hiding behind the chaos ransomware brand to conduct sophisticated espionage operations, using microsoft team…"
T1021.006Windows Remote Management
32%
"security ( mois ). cybercriminals exploit microsoft teams the attack began with targeted social engineering via microsoft teams, where the threat actor sent external chat requests to employees. during these interactions, attackers initiated screen - sharing sessions to gain direc…"

Summary

Iranian state-sponsored threat actors linked to MuddyWater (Seedworm) have been caught hiding behind the Chaos ransomware brand to conduct sophisticated espionage operations, using Microsoft Teams as a phishing vector to steal credentials and manipulate multi-factor authentication (MFA). Rapid7 researchers uncovered the intrusion in early 2026, revealing a calculated false flag operation designed to mimic financially […]

The post Cybercriminals Exploit Microsoft Teams to Phish Login Credentials and Bypass MFA appeared first on GBHackers Security | #1 Globally Trusted Cyber Security News Platform.