A state-sponsored hacking group linked to the Iranian government has been linked to a disruptive ransomware attack that security researchers describe as a false flag operation. The group, known as MuddyWater, targeted organizations using social engineering tactics deployed through Microsoft Teams to gain initial access.
Cybersecurity firm Rapid7 reported observing the attack in early 2026. Researchers found that the threat actors, also tracked under the aliases Mango Sandstorm, Seedworm, and Static Kitten, impersonated technical support personnel to trick victims into granting remote access.
The Attack Vector: Social Engineering via Microsoft Teams
The infection sequence began when targeted employees received a call or chat message on Microsoft Teams. The attackers, posing as legitimate IT support staff, claimed the user was experiencing a security issue or needed urgent software updates.
By building a false sense of urgency, the social engineers convinced victims to install a remote monitoring and management (RMM) tool. Once this software was installed, the attackers gained a foothold on the corporate network, allowing them to move laterally and deploy ransomware.
Rapid7 noted that the use of a well-known communication platform like Microsoft Teams lowers the guard of potential victims, as it appears to be a normal internal request for help.
False Flag Attribution
A key detail in the Rapid7 report is the classification of this incident as a false flag operation. Security analysts observed that the attackers deliberately tried to leave forensic evidence pointing toward a different, unnamed hacking group.
This behavior suggests the attackers attempted to mislead investigators by mimicking the tactics, techniques, and procedures (TTPs) of another known ransomware syndicate. Such false flag campaigns are designed to sow confusion, delay response efforts, and potentially spark geopolitical tensions between other state actors.
The targeting of prominent organizations aligns with MuddyWater’s historical focus on espionage and sabotage, though the group has previously been associated with less destructive activities like data theft. The pivot to ransomware represents an escalation in their operational methodology.
Implications for Enterprise Security
This campaign highlights a critical vulnerability in security awareness training. Employees who are trained to trust internal communication channels, particularly from platforms like Microsoft Teams, may be more susceptible to sophisticated impersonation attacks.
Security experts recommend that organizations implement strict verification processes for any request to install software, even if it appears to come from internal IT support. Requiring a secondary confirmation, such as a phone call or ticket through a separate system, can help mitigate the risk of such social engineering attempts.
Furthermore, the use of native communication tools for attacks underscores the need for continuous monitoring of software installation and remote access activity on enterprise networks.
Background on MuddyWater
MuddyWater is an Iranian state-sponsored cyber espionage group that has been active since at least 2017. The group has historically targeted government agencies, telecommunications companies, and oil and gas organizations across the Middle East, Europe, and North America.
The group is known for its reliance on social engineering, spear-phishing, and publicly available tools to avoid detection. This latest incident, however, marks a notable shift toward overtly destructive ransomware attacks combined with complex attribution deception tactics.
Looking Ahead
Rapid7 has shared indicators of compromise (IOCs) and technical details with its customers and the broader cybersecurity community to help defend against this specific attack chain. Organizations using Microsoft Teams are advised to review their security policies regarding remote help desk requests and to implement strict controls on RMM tool usage. The cybersecurity industry is expected to release additional guidance on detecting and preventing these types of impersonation attacks as more details emerge from the initial investigations.
Source: Rapid7
