A group of hackers known as KongTuke has found a new way to break into company networks: they impersonate your IT helpdesk inside Microsoft Teams. Since at least April 2026, they have been creating fake Microsoft 365 accounts designed to look like internal support staff — sometimes using invisible Unicode characters in the display name to make the sender look legitimate. From there, they send you a Teams message asking you to paste a command into your computer to “fix” a technical issue.
That command downloads and runs malware called ModeloRAT, which gives the attackers ongoing access to your computer and your company’s network. The whole attack can take as little as five minutes from the first message to a full breach. KongTuke has been rotating through at least five different fake Microsoft 365 tenants to avoid being blocked, making their messages harder for automatic filters to catch.
How to check if you’re affected
Affected products include Microsoft Teams versions used in any corporate or hybrid work environment where external messaging is enabled. You are at risk if your company allows messages from people outside your organisation in Teams.
- Never paste commands into your terminal or PowerShell based on instructions received in a Teams chat — no legitimate IT team will ask you to do this.
- Check the sender carefully: If someone in Teams claims to be IT support but you don’t recognise their name or department, contact your actual IT team through a separate channel (email, phone, internal directory) to confirm.
- Report suspicious messages: If you receive an unexpected Teams message from someone claiming to be IT support, don’t reply — report it to your security team immediately.
- IT administrators can reduce exposure by restricting external Teams federation to known, trusted organisations via an allowlist.