MuddyWater's Teams Attack: Iranian APT Threat to SAMA Banks

Rapid7 has attributed a high-touch intrusion that initially looked like a Chaos ransomware deployment to MuddyWater (Seedworm / Mango Sandstorm / Static Kitten), an Iranian APT linked to the Ministry of Intelligence and Security (MOIS). The campaign is striking for one reason: the entire foothold was established not through a phishing email or a public-facing exploit, but through Microsoft Teams chats and live screen-sharing sessions with end users. For SAMA-regulated financial institutions in the Kingdom, this collapses two old assumptions at once — that MFA-protected M365 tenants are "safe enough," and that ransomware attribution can be taken at face value.

How the MuddyWater Microsoft Teams Attack Works

The intrusion starts with an unsolicited external Teams chat request to a targeted employee. Once the user accepts, the operator pivots to an interactive screen-share session, posing as IT support, an auditor, or a vendor. Victims are walked through "diagnostic" steps that include typing their credentials and one-time passwords into a local text file the attacker can see in real time. From there, MuddyWater injects code into suspended processes via pythonw.exe, plants persistence, and stages a Chaos ransomware payload as a decoy. Rapid7's forensic links — including a "Donald Gay" code-signing certificate and the moonzonet C2 domain — connect the operation back to historical MuddyWater infrastructure.

Why a False Flag Ransomware Operation Matters

Treating this as a "ransomware incident" leads defenders to the wrong playbook: contain encryption, negotiate, restore, move on. But MuddyWater's objective here was espionage and persistent access, with Chaos ransomware bolted on to muddy attribution and accelerate cleanup before deeper compromise was discovered. That has direct consequences for incident classification under NCA ECC-2:2024 and SAMA Cyber Security Framework — a state-sponsored intrusion is a fundamentally different reporting, escalation, and response track than a commodity ransomware case, and misclassifying it can put a bank offside with regulators.

Impact on Saudi Financial Institutions

Saudi banks, payment processors, and SAMA-regulated FinTechs run extensive Microsoft 365 deployments, and external Teams federation is enabled in most tenants by default. Iranian APTs — MuddyWater, APT34/OilRig, and APT39 — have a multi-year pattern of targeting Gulf financial, government, and energy entities. The Teams social-engineering vector specifically defeats the "we have MFA" defense, because the attacker captures the one-time code in real time and uses it inside the validity window. Under SAMA CSCC control 3.3.5 (Cyber Security Awareness) and the Cyber Threat Intelligence Principles (CTIP), boards are explicitly expected to track region-specific APT activity and translate it into compensating controls — not just rely on perimeter tooling.

Practical Recommendations and Hardening Steps

1. In Microsoft 365 Defender, restrict external Teams chat to an allow-list of trusted federated domains, and disable anonymous federation tenant-wide.
2. Block screen-sharing initiation from external (federated or guest) participants; document this as a compensating control mapped to SAMA CSCC 3.3.14 (Email and Collaboration Security).
3. Deploy phishing-resistant MFA — FIDO2 security keys or Windows Hello for Business — for all privileged accounts, treasury operators, and SWIFT users; OTP-based MFA is no longer sufficient against this TTP.
4. Hunt for the published indicators: pythonw.exe injecting into suspended processes, signed binaries by "Donald Gay," and outbound traffic to moonzonet-related infrastructure. Feed these into your SOC's CTI pipeline per NCA ECC-2:2024 control 2-13.
5. Run a tabletop that opens as a Chaos ransomware case and reveals state-sponsored attribution mid-exercise; validate that legal, communications, SAMA notification, and SOC paths all re-route correctly.
6. Refresh user awareness specifically on Teams-based vishing — most Saudi bank training decks still focus on email phishing only.

Conclusion

MuddyWater's Teams campaign signals that Iranian state actors have industrialized social engineering inside the collaboration tools Saudi banks now depend on, while using ransomware noise as a smokescreen. The control gaps it exploits — open external federation, OTP-only MFA, and ransomware-centric playbooks — are all addressable, but only if institutions move on them before they appear as findings in the next SAMA review or NCA assessment.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment focused on collaboration-platform threats and Iranian APT exposure.