A hacking group backed by the Iranian government, known as MuddyWater, is running a campaign that starts with a seemingly routine Microsoft Teams message. Posing as your company’s IT helpdesk, the attackers request a screen-sharing session to “fix a problem.” During the call, they walk you through typing your password into a text file or a form they control — making it look like a normal troubleshooting step. They also capture your two-factor authentication code in real time, giving them full access to your account before you realize anything is wrong.
The group disguises their attacks to look like ransomware from a criminal gang called “Chaos,” which makes it harder for companies to identify the real attacker. Their actual goal is to install a remote-access backdoor and quietly steal data for months. While the campaign has so far focused on construction, manufacturing, and government organizations, social engineering through Teams can target employees in any industry.
How to check if you’re affected
Affected devices are any computer where a Microsoft Teams session involved an unexpected IT support call, screen sharing, or a request to type your password anywhere other than your normal login screen.
- Review your Microsoft 365 account login history at mysignins.microsoft.com for logins from unexpected locations or devices.
- Check if any unfamiliar remote-access tools — such as AnyDesk or DWAgent — were installed on your computer during or after an unplanned Teams session.
- Look for a file named ms_upd.exe on your system; its presence indicates compromise.
- Contact your IT department to verify whether any recent helpdesk Teams calls were initiated by them — if not, report it immediately.