The Iranian group MuddyWater has been linked to a new cyberattack campaign that leverages Microsoft Teams as an entry vector. The attackers pose as Microsoft technical support to contact their victims, requesting remote access or the installation of malicious software. Once inside, they steal credentials and sensitive data, and deploy a fake ransomware to divert attention.
Spoofing technique and remote access tools 🛠️
The attackers start the conversation on Teams by impersonating technical support staff, citing urgent security issues. Under this pretext, they ask the victim to install legitimate tools like ScreenConnect or AnyDesk. Once they have remote control, the attackers extract credentials stored on the system and data from corporate applications. Finally, they deploy a ransomware that does not encrypt files, but only simulates the attack to hide the actual theft of information.
The fake ransomware: a classic to blame someone else 😅
The best part is that, after stealing your credentials and data, the attackers have the courtesy to leave a fake ransomware so you think it was a generic attack and not a targeted intrusion. It's like a burglar entering your house, taking your safe, and before leaving, leaving a note saying it was the neighbor. At least they took the trouble to simulate the encryption, even though your files are intact and your Teams account is already for sale on the dark web.