In early 2026, an intrusion linked with moderate confidence to MuddyWater showed how a trusted workplace tool can become part of the attack path. In this MuddyWater APT Teams attack, employees were contacted through Microsoft Teams, pulled into live screen-sharing sessions, and guided into actions that exposed credentials, enabled MFA manipulation, and gave attackers access to VPN-related files. The activity also used Chaos ransomware branding and extortion emails, but file encryption was not observed. That made it look less like typical ransomware and more like an access, data theft, and persistence operation. The key lesson is that email security alone is not enough. Organizations need to control unapproved remote access tools, monitor suspicious endpoint behavior, and make access decisions based on both identity and device trust.
Think about the last time someone from IT messaged you on Teams. You probably did not treat it like a phishing email. You may have glanced at the name, trusted the platform, and responded.
That trust is what attackers are learning to abuse.
In early 2026, an intrusion linked moderately to MuddyWater showed how a familiar collaboration tool can become an entry point. Particularly in the MuddyWater APT Teams attack, employees were contacted through Microsoft Teams, pulled into live screen-sharing sessions, and guided into actions that exposed credentials, enabled MFA manipulation, and gave attackers access to VPN-related files.
In this blog, we’ll unpack how the attack worked, why trusted collaboration tools are becoming a security risk, and how organizations can reduce exposure across devices, identity, and access.
MuddyWater is an Iran-linked advanced persistent threat group known for cyber-espionage. It is also tracked as Seedworm, Mango Sandstorm, MERCURY, and Static Kitten. Active since at least 2017, the group has targeted government and private-sector organizations across the Middle East, Asia, Africa, Europe, and North America, including telecom, finance, local government, defense, and oil and natural gas organizations.
The intrusion did not rely only on a typical phishing email. Instead, the attacker contacted employees through Microsoft Teams and used live conversation to make the request feel legitimate.
Once the victim engaged, the attacker moved the interaction into screen-sharing. During the session, victims were guided into entering credentials, modifying MFA settings, and exposing VPN-related files. The attacker then used compromised accounts and remote access methods to continue activity inside the environment.
How Persistence Came into Play
The intrusion did not stop at the Teams conversation. After credentials and access details were exposed, the attacker used compromised accounts, RDP, and remote access tooling to continue operating inside the environment. AnyDesk was deployed in at least one instance, showing how legitimate remote management tools can be abused after a successful social engineering attempt.
The sequence below shows how the activity moved from a trusted chat interaction to credential exposure, access expansion, and ransomware-style deception.
Stage
What happened
Teams contact
Employees were contacted through Microsoft Teams external chat.
Live interaction
The attacker used conversation and screen-sharing to guide the victim.
Credential exposure
Victims were instructed to enter credentials into local text files.
MFA manipulation
MFA settings were modified to include attacker-controlled devices.
VPN-related access
Files related to VPN configuration were accessed.
Remote access
RDP and remote access tooling, including AnyDesk in at least one instance, were used to support access and control.
Extortion cover
Extortion emails and Chaos ransomware branding were used.
Key difference
File encryption was not observed, which made the activity different from typical ransomware.
What Is Device Trust and Why It Matters for Access Control
Learn how device trust helps organizations validate endpoint posture from unmanaged or non-compliant devices.
Why This Attack Changes the Security Conversation
The MuddyWater APT Teams attack shows why security teams cannot treat collaboration, identity, endpoint, and remote access as separate problems.
The attacker did not rely on one weakness. They used a trusted chat platform to reach the user, screen-sharing to guide the interaction, MFA changes to support attacker-controlled access, VPN-related files that could support later access attempts, and remote access tools to maintain control.
That means blocking malware alone is not enough. Organizations need to control which apps can run, detect suspicious behavior on endpoints, and make sure access depends on both the user and the device. When a trusted tool becomes part of the attack path, security has to follow the full chain, from the first message to the final access attempt.
Building Defense across Device, Endpoint, and Identity with Hexnode
Hexnode helps reduce this risk by focusing on three areas: device control, endpoint detection, and identity with device trust.
1. Hexnode UEM: Control Apps and Devices
Hexnode UEM helps IT teams manage what is allowed on corporate devices. This matters because, in attacks like this, legitimate remote access tools can be abused after the first social engineering step.
With Hexnode UEM, organizations can:
Block or allowlist applications on managed devices
The attack may begin in Teams, but the real damage happens when that interaction turns into endpoint activity. That could include scripts, installers, remote access sessions, unusual processes, or attempts to maintain persistence.
Hexnode XDR helps security teams detect, investigate, and respond to suspicious endpoint behavior. IT teams can look for signs such as:
Unexpected remote access activity
Suspicious scripts or processes
Unknown installers launched after a support-style interaction
Abnormal endpoint behavior from a standard user device
Indicators that a device may need containment
When a device shows signs of compromise, response actions such as isolating the endpoint, killing malicious processes, or quarantining files can help limit the impact.
Featured Resource
Why XDR Is Stronger With UEM
Learn more on how Hexnode XDR's performance can be enhanced and elevated with deep integration with Hexnode UEM.
In this campaign, credentials and MFA settings were part of the attack path. That is why access should not depend on identity alone.
Hexnode IdP helps bring user identity and device posture together. This allows organizations to make access decisions based on both who the user is and whether the device is trusted and compliant.
For a Teams-based social engineering scenario, this matters because stolen credentials should not be enough to access internal resources. When access is tied to managed and compliant devices, organizations can make it harder for attackers to use stolen credentials from an unmanaged machine.
Together, Hexnode UEM, XDR, and IdP help reduce risk at different stages of the attack: before unauthorized tools run, while suspicious behavior is happening, and when access is requested.
Make Trusted Tools Harder to Abuse
The MuddyWater APT Teams attack shows how quickly a normal work conversation can become a security incident. A Teams message, a screen-sharing session, an MFA change, and access to VPN-related files can give attackers more than an initial foothold. It can support continued access attempts.
That is why prevention has to start before the user is targeted and continue after the first suspicious action. Organizations should limit unapproved remote access tools, monitor endpoint behavior, and make access depend on both identity and device trust.
Hexnode supports this approach through UEM, XDR, and IdP. UEM helps control apps and devices. XDR helps detect and respond to suspicious endpoint activity. IdP helps tie access decisions to identity and device posture.
The goal is simple: let employees collaborate, but make it much harder for attackers to turn that trust into access.
Secure trusted access beyond collaboration tools
Help IT teams manage endpoints, control unapproved apps, detect suspicious activity, and support device-trust based access decisions from a centralized console.
Curious, constantly learning, and turning complex tech concepts into meaningful narratives through thoughtful storytelling. Here I write about endpoint security that are grounded in real IT use cases.
