MuddyWater Targets Microsoft Teams MFA: SAMA Bank Defense Guide

Iranian state-sponsored threat actor MuddyWater (also tracked as Mango Sandstorm, Seedworm, and Static Kitten) has been observed running a sophisticated hybrid espionage campaign that weaponizes Microsoft Teams to steal credentials and silently subvert multi-factor authentication. Rapid7 incident responders documented the activity in early 2026, and the operators went a step further: they staged Chaos ransomware artifacts as a false flag to disguise nation-state intrusion as opportunistic crime. For Saudi banks operating under SAMA Cyber Security Framework, this is not a distant headline. It is a direct preview of how regional adversaries will attempt to breach financial institutions through the most-trusted collaboration tool in the enterprise.

Inside the MuddyWater Microsoft Teams attack chain

The intrusion begins with a high-touch social engineering call delivered through Microsoft Teams. Threat actors impersonate IT support, vendors, or internal helpdesk staff and request a screen-sharing session to "resolve" a fabricated issue. During the call, the operator instructs the victim to type credentials into a local text file under the pretext of verification, then to approve a new device for MFA enrollment. Because every action originates from the legitimate Teams client, traditional email gateways and URL sandboxes never see the threat. The attacker walks away with primary credentials, an enrolled secondary factor, and persistent access from a device the victim explicitly authorized.

Why "false flag" Chaos ransomware changes the threat model

After establishing persistence, MuddyWater deployed components borrowed from the Chaos ransomware-as-a-service brand on selected hosts, but never executed mass file encryption. Rapid7 assesses with high confidence that these artifacts were planted to mislead incident responders and obscure the true espionage objective: long-term collection from financial, energy, and government targets across the Middle East. For a CISO, this means the playbook of "we paid no ransom, so the incident is contained" no longer holds. A staged ransomware note can be the beginning of a multi-month data exfiltration program, not the end of an attack.

Impact on SAMA-regulated financial institutions

MuddyWater has historically targeted Gulf banks, telecom operators, and government entities, and the Microsoft Teams vector neutralizes several controls that SAMA-regulated banks rely on every day. SAMA Cyber Security Framework control 3.3.5 mandates strong authentication for privileged access, and CSCC 3.3.14 requires anomaly detection for identity events; both assume the MFA factor itself cannot be socially enrolled by the user during an attacker-led call. Saudi banks must also weigh PDPL implications: a credential compromise that exposes customer records constitutes a personal data incident requiring notification to the Saudi Data and Artificial Intelligence Authority. NCA Essential Cybersecurity Controls subdomain 2-3-3 on awareness and 2-10 on third-party security become decisive when the initial vector is a Teams meeting that bypasses the secure email gateway entirely.

Detection signals your SOC should hunt today

Defenders should not wait for IOC feeds to catch up with this campaign. Hunt for the behavior, not the hash. Pivot Microsoft 365 Unified Audit Log on three high-value events: external Teams meetings initiated by users who never normally federate with outside tenants, MFA method registrations that occur within sixty minutes of a Teams call from a guest account, and screen-sharing sessions that include a follow-on device enrollment from a residential IP range or unusual ASN. Correlate these with Microsoft Defender for Identity alerts on suspicious additions to the StrongAuthenticationUserDetails table. A pattern that combines all three signals within a single working day is the strongest indicator of MuddyWater-style social engineering currently available.

Practical defenses for SAMA banks

1. Disable Teams external access by default and allow-list only verified federated tenants of vendors, regulators, and correspondent banks; route any incoming external chat through a dedicated supervised mailbox that the SOC reviews.
2. Require Microsoft Authenticator number-matching and lock self-service MFA registration behind a Conditional Access policy that enforces hybrid-joined or compliant-device, blocking enrollment from any guest or unmanaged endpoint.
3. Mandate a callback policy for any IT support interaction that requests credential entry or MFA approval; the user must hang up and dial the official IT number from a separate channel before complying.
4. Deploy continuous user and entity behavior analytics on Entra ID sign-ins, alerting on impossible-travel events, new sign-in property combinations, and risky session tokens replayed from outside Saudi Arabia.
5. Run a tabletop exercise in which the simulated incident is a false-flag ransomware note, and validate whether your forensic plan actually pursues data exfiltration timelines or stops at the encryption check; SAMA CSCC 3.3.18 expects the former.
6. Update PDPL incident response runbooks to treat any credential compromise as a presumed data exposure event until log evidence confirms otherwise, and rehearse the seventy-two-hour SDAIA notification path.

Conclusion

MuddyWater has shown that the next generation of Gulf-targeted intrusions will not arrive through a phishing email or an unpatched edge appliance. They will arrive as a polite Microsoft Teams call from someone who already looks like a colleague, and they will leave behind a fake ransomware note to send investigators chasing the wrong adversary. SAMA-regulated banks that harden Teams federation, enforce phishing-resistant MFA, and treat credential compromise as a data-exposure event will be in a fundamentally different position than peers that wait for the IOCs to arrive.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment and a focused Microsoft 365 attack-path review aligned to NCA ECC and PDPL.