Observed Campaign Pattern
The intrusion Rapid7 attributed to the Iranian state-sponsored group MuddyWater did not begin with a phishing email. It began with an external chat request inside Microsoft Teams. The operators opened an outbound conversation with an employee, built enough rapport to justify a support-style interaction, and moved the target into a screen-sharing session. Microsoft credentials were harvested during that session, and the attackers manipulated the multi-factor authentication prompt while the victim was watching.
What the environment looked like afterward was a ransomware incident, branded with the "Chaos" extortion identity. Rapid7's assessment is that the ransomware was a false flag. The targeting, the patience, and the hands-on tradecraft pointed to a state-backed intrusion using opportunistic crime as a disguise.
For an APT tracker, the useful record is not "MuddyWater used Teams." It is the reusable method: a trusted collaboration channel used for first contact, live credential capture during a shared screen, and a deliberately misleading ending. Each of those three moves survives a change of actor or tooling.
Initial Access Through a Trusted Channel
Email security has improved enough that mature actors look for delivery surfaces that defenders inspect less. Microsoft Teams is one of them. Many tenants still allow external federation by default, which means an account in an unrelated organization can message employees directly. The inbound message arrives inside a tool the user associates with colleagues, not with strangers.
There is no malicious attachment to detonate and no link for a gateway to rewrite. The lure is the conversation itself. The operator presents as IT support, a vendor, or a help desk, and the pretext is a routine problem that needs a quick look. Because the channel feels internal, the user's normal skepticism toward unsolicited email is not engaged.
The red-team lesson is that initial access assessments should test external collaboration channels, not only the mail flow. The blue-team lesson is that external Teams chat deserves the same scrutiny as inbound email: who can start a conversation, what is logged, and what the user is coached to expect.
Walking the Victim Through MFA
The screen-sharing step is what makes this method strong. An emailed adversary-in-the-middle page is passive. It waits for the victim and cannot adapt. An operator on a live Teams call can adapt continuously. They can read instructions aloud, reassure the user, explain away a warning, and time their requests to the prompts on the shared screen.
That interactivity defeats controls built on the assumption that the user is alone and unhurried. When a multi-factor prompt appears, the operator is there to frame it as part of the support process. The user is not deciding whether to approve an unexpected request. They are following along with a helper who sounds legitimate and is, on screen, walking them through a fix.
This is social engineering with a human in the loop at the exact moment a credential or token is exposed. Awareness training that tells users to reject unexpected MFA prompts is weaker here, because the prompt is no longer unexpected. The operator has spent the prior minutes making it expected.
Persistence and Hands-On Movement
Once the operators held valid credentials, the reported activity shifted to hands-on intrusion. They used compromised accounts for reconnaissance, established persistence with legitimate remote-access tools such as DWAgent and AnyDesk, moved laterally, and exfiltrated data.
Choosing legitimate remote-management software is a deliberate evasion. These tools are signed, common in real IT environments, and frequently allowlisted. An endpoint product that would alert on a custom implant may stay quiet for a remote-access agent that also appears in legitimate support workflows. The procedure here is trust borrowing again, applied to tooling rather than to the delivery channel.
The defender record worth keeping is procedural: external-channel first contact, live credential capture, remote-management software for persistence, and account-driven lateral movement. None of that depends on a specific binary, so detection should not depend on a specific binary either.
The False-Flag Problem
The ransomware ending is the part most likely to mislead a response team. An environment branded with a known extortion identity invites a fast, familiar conclusion: opportunistic crime, restore from backup, close the case. That conclusion can be exactly what the operators wanted.
If the real objective was espionage, a response that stops at the ransom note leaves the important questions unanswered. What was accessed before encryption. Which accounts and tokens are still valid. Whether remote-access persistence survived the rebuild. Misattribution is not a cosmetic error here. It changes the scope of the investigation and the controls that get prioritized afterward.
The discipline is to attribute from tradecraft, not from branding. A ransom note is a claim, and a capable actor can make any claim they want. The intrusion method, the dwell time, the selection of victims, and the care taken during hands-on activity are harder to fake and more honest as evidence.
Detection and Response
Detection should start at the channel. Log and review external Teams chat initiations, and restrict external federation to known partner domains where the business allows it. A first contact from an unrecognized external tenant, followed quickly by a screen-share session, is a sequence worth surfacing.
On the endpoint, inventory remote-management software and treat new installations of tools like DWAgent or AnyDesk as events that need an owner and a reason. Correlate remote-access sessions with identity activity: a screen-share session followed by a sign-in from a new location or device is a stronger signal than either event alone.
Red teams can use this method to design realistic exercises: external-channel first contact, live-assisted authentication, remote-tool persistence, and a misleading finale. The exercise should prove whether the organization can see the method and attribute it correctly, not only whether it can recover encrypted files. Blue teams should rehearse the response question that matters most here: when the ransom note says one thing and the tradecraft says another, which one does the investigation believe?