Severity: HIGH

The Threat

In early 2026, Rapid7 observed a sophisticated attack campaign attributed to MuddyWater, an Iranian state-sponsored threat group also tracked as Mango Sandstorm, Seedworm, and Static Kitten. The group executed what researchers describe as a "false flag" ransomware operation - deploying ransomware not necessarily to extort victims, but to cause destruction and confusion while covering the real objective: credential theft.

The attack vector is Microsoft Teams. MuddyWater operatives are impersonating IT support staff or trusted colleagues inside Teams, using social engineering to trick employees into handing over login credentials or granting remote access. The group has a well-documented history of targeting government ministries, telecommunications providers, and critical infrastructure across the Middle East and Africa.

What makes this campaign especially dangerous is the false flag design. The ransomware screen gives incident responders the wrong target to chase, while the real damage - stolen credentials and persistent access - happens silently in the background.

Impact Assessment for East African Organizations

Microsoft Teams is now a standard communication tool across Kenyan government agencies, Ethiopian federal ministries, Somali financial institutions, and East African banks operating under CBK, NBE, and CBS licensing frameworks. That widespread adoption is exactly what makes this threat so urgent for the region.

Consider the specific risks:

  • Government ministries and GovTech platforms in Kenya, Ethiopia, and Somalia use Teams for inter-agency coordination. A compromised account can expose citizen data, procurement records, and national security communications - all triggering violations under the Kenya Data Protection Act 2019 and Ethiopia's Computer Crime Proclamation.
  • Commercial banks and SACCOs operating Teams for remote operations face credential theft that could bypass multi-factor authentication if FIDO2 or phishing-resistant MFA is not in place - a direct risk to CBK and Bank of Tanzania compliance posture.
  • Power utilities and telecom providers (critical infrastructure) using Teams for operational coordination could see lateral movement from a stolen credential escalate into operational disruption - exactly the secondary objective of a false flag operation.
  • The Horn of Africa's geopolitical proximity to Iranian threat actor targeting zones - including Gulf states and East African diplomatic missions - makes regional organizations a plausible spillover target.

Immediate Actions

  • Audit Microsoft Teams external access settings now. Disable or restrict the ability for external (guest) users to initiate chats or calls with your staff. Most East African organizations leave this default-open.
  • Enforce phishing-resistant MFA on all Microsoft 365 accounts. Standard SMS-based OTP will not stop this attack. Move to Microsoft Authenticator with number matching, or hardware FIDO2 keys for privileged accounts.
  • Train staff to verify IT support requests through a secondary channel. No legitimate IT team will ask for credentials or remote access through a Teams chat alone. Establish a call-back verification protocol and communicate it this week.
  • Review your Microsoft 365 audit logs for the past 30 days. Look for unusual sign-in locations, new OAuth app consents, and Teams guest access additions - these are early indicators of compromise aligned with MuddyWater's tradecraft.
  • Test your incident response playbook against a ransomware + credential theft scenario. The false flag element means your team may initially respond to the wrong threat. Tabletop this scenario with your SOC or IT leadership before an attacker forces it on you.

DRONGO Recommendation

MuddyWater's false flag design is built to defeat organizations that rely on reactive incident response. DRONGO's Microsoft 365 Security Assessment reviews your Teams configuration, identity security posture, and MFA deployment against exactly this class of attack - delivering a prioritized remediation plan within 5 business days.

Is your organization protected? Request a free security assessment.