We recently analyzed a series of credential harvesting campaigns targeting Indian defense contractors where the entry point was not a traditional spear-phishing email, but a Microsoft Teams external invitation. MuddyWater (APT34) has refined its TTPs to exploit the "Open Federation" default setting prevalent in many Indian enterprise environments. By leveraging the trust associated with the Teams UI, attackers bypass traditional email gateways that would otherwise flag malicious URLs or attachments.
The Mechanics of Teams-Based Credential Theft
The attack typically begins with an external user adding a target employee to a new "Project" or "Urgent Review" group. Because Microsoft Teams allows external communication by default unless explicitly restricted, the target receives a toast notification. Unlike email, where "External Sender" banners are often ignored, the Teams UI presents external users with a small "External" tag that users frequently overlook during high-pressure scenarios.
Exploiting External Access and Open Federation
In the Indian IT landscape, we observed that many Managed Service Providers (MSPs) leave "External access" set to "Allow all domains" to facilitate easy collaboration between vendors and clients. MuddyWater exploits this by creating tenants with names like "SecurityAdmin-IN" or "IT-Support-Global" to impersonate legitimate entities. When a user accepts the chat, the attacker pushes a link to a credential harvesting site or a weaponized ZIP file hosted on a legitimate cloud service like OneDrive or Dropbox.
NTLM Relay via Malicious Invites
We have tracked the use of CVE-2023-29328, a Remote Code Execution (RCE) vulnerability in Microsoft Teams. While the primary goal is often credential theft, malicious invites can be crafted to trigger NTLM authentication attempts against an attacker-controlled SMB share. If the victim's machine is not configured with "Restrict NTLM: Outgoing NTLM traffic to remote servers," the hashed credentials are leaked instantly upon the user simply viewing the invite.
Detection Logic: Hunting via KQL and SIEM Logs
To detect these intrusions, we focus on the OfficeActivity table within Microsoft Sentinel or a similar SIEM. The most critical event to monitor is MemberAdded where the MemberId does not match the internal UPN suffix.
Identifying Unauthorized External Additions
The following KQL query identifies instances where external users are added to internal groups or chats, specifically filtering for non-Indian or suspicious domain patterns.
OfficeActivity
| where OfficeWorkload == "MicrosoftTeams" | where Operation == "MemberAdded" | extend ExternalUser = tostring(parse_json(Members)[0].UPN) | where ExternalUser !contains "@yourdomain.in" | project TimeGenerated, UserId, ExternalUser, TeamName, ClientIP
Detecting Script-Based File Interactions
MuddyWater often uses automated tools to exfiltrate data once a session is established. We look for non-browser User-Agents interacting with Teams-related SharePoint sites. This query filters for common command-line tools used in the post-exploitation phase.
OfficeActivity
| where OfficeWorkload == "MicrosoftTeams" | where Operation in ("FileDownloaded", "FileUploaded") | extend UserAgent = extractjson("$.UserAgent", ExtendedProperties, typeof(string)) | extend SourceIP = ClientIP | where UserAgent has_any ("curl", "powershell", "python-requests", "Go-http-client") | project TimeGenerated, UserId, SourceIP, Operation, FileName, UserAgent | join kind=inner (IdentityInfo | where Country == "IN") on $left.UserId == $right.AccountUPN
Analyzing C2 Infrastructure and Certificates
When we identify a suspicious IP address in the logs, we pivot to network analysis. MuddyWater frequently uses low-cost VPS providers like DigitalOcean or Linode. During our investigation, we found that their C2 servers often use self-signed certificates or Let's Encrypt certificates with specific metadata patterns.
Manual C2 Verification via OpenSSL
If you identify a suspicious outbound connection from a workstation after a Teams interaction, use a browser based SSH client to securely access your analysis environment and run openssl to inspect the remote certificate.
$ openssl s_client -connect <Suspicious_C2_IP>:443 -showcerts | openssl x509 -text -noout | grep -i "MuddyWater"Auditing Installed Teams Apps
Attackers may also attempt to sideload malicious Teams apps to maintain persistence. These apps often request extensive OAuth scopes like Chat.ReadWrite or Files.ReadWrite.All. Use the Microsoft Graph PowerShell module to audit installations.
# PowerShell command to find non-standard App IDs
Get-TeamsAppInstallation -UserObjectId <Target_ID> | Where-Object { $_.AppDefinitionId -notmatch '^[0-9a-fA-F-]{36}$' }
Advanced Indicators of Phishing in Teams
Manual detection remains a core component of the SOC workflow. We look for specific linguistic and technical markers that deviate from standard organizational behavior.
The "External" Tag and Display Name Spoofing
While the "External" tag is a built-in security feature, attackers use display name spoofing to create confusion. For example, an attacker might set their display name to "System Alert (External)" or "IT Support (External)". Users often see the "IT Support" part and ignore the bracketed tag. We recommend implementing a transport rule that prepends a more aggressive warning to any message originating from outside the organization.
Urgency and Coercion Patterns
MuddyWater campaigns often utilize themes related to compliance or payroll. In the Indian context, we see lures related to "Income Tax Filings" or "DPDP Act Compliance Requirements." Any message requesting an immediate password reset or a "security check" via an external link must be treated as high-risk.
Unexpected File Transfer Requests
Teams integrates deeply with SharePoint and OneDrive. When an external attacker shares a file, the system generates a legitimate-looking notification. I have observed cases where the file is a .LNK file disguised as a PDF (e.g., Invoice_2023_INR.pdf.lnk). This file, when opened, executes a PowerShell stager that connects to the attacker's C2.
Leveraging Microsoft Defender for Office 365
Automation is necessary to handle the volume of Teams interactions. Microsoft Defender for Office 365 provides several layers of protection that must be correctly configured to be effective.
Safe Links for Teams
Safe Links provides time-of-click verification of URLs in Teams chats and channels. This is critical because MuddyWater often uses "sleeper" URLs—links that point to benign content initially but are redirected to credential harvesting pages once the campaign begins. Ensure that "Safe Links for Microsoft Teams" is enabled in the Global settings of the Microsoft 365 Defender portal.
Safe Attachments and Sandboxing
Safe Attachments uses a virtual environment to "detonate" files shared via Teams before they are accessible to the end-user. This is particularly effective against zero-day exploits or obfuscated scripts that bypass static signature-based detection. We recommend setting the response to "Block" for any detected malicious attachments to prevent accidental execution.
Automated Investigation and Response (AIR)
When a phishing alert is triggered, AIR can automatically correlate the alert with other signals, such as suspicious login attempts or mailbox rules. In a recent incident, AIR identified a compromised account that was being used to spread internal phishing messages via Teams, allowing us to isolate the account within minutes.
Technical Hardening and Prevention Strategies
Prevention starts with reducing the attack surface. If your organization does not require open federation, it should be disabled immediately.
Restricting External Access
Navigate to the Microsoft Teams admin center and modify the "External access" settings. We recommend moving from "Allow all domains" to "Allow only specific external domains." This whitelist approach ensures that only verified partners can initiate contact with your employees.
# Example: Restricting domains via PowerShell
Set-CsTenantFederationConfiguration -AllowedDomains "partner-domain.in,vendor-domain.com"
Enforcing Conditional Access and MFA
Multi-Factor Authentication (MFA) is the single most effective deterrent against credential theft. However, MuddyWater has been known to use MFA fatigue attacks. We recommend implementing "Token Protection" and "Application Enforced Restrictions" within Azure AD (Entra ID) to ensure that Teams sessions cannot be hijacked even if the primary credentials are stolen, effectively preventing MFA proxy bypass attempts.
Managing Third-Party App Permissions
Review the OAuth permissions granted to third-party apps within the Teams environment. Attackers often use "Consent Phishing" to gain access to data without needing the user's password. Use the following command to list all service principals with high-risk permissions.
Get-MgServicePrincipal | Where-Object {$_.AppRoleAssignments -match "Chat.Read" -or $_.AppRoleAssignments -match "Files.Read.All"}Incident Response: Remediation Steps
When a Teams-based phishing attack is confirmed, the response must be swift to prevent lateral movement and data exfiltration.
Isolating the Compromised Account
The first step is to revoke all active sessions for the affected user. This prevents the attacker from using stolen session tokens to maintain access.
# Revoke all refresh tokens
Revoke-MgUserSignInSession -UserId <User_Object_ID>
Purging Malicious Messages
Microsoft provides the Search-UnifiedAuditLog and New-ComplianceSearch cmdlets to find and delete malicious messages across the entire organization. This is vital to prevent other users from clicking the same link.
New-ComplianceSearch -Name "RemovePhishingMessage" -ExchangeLocation All -ContentMatchQuery 'kind:im "suspicious-link.com"'Start-ComplianceSearch -Identity "RemovePhishingMessage"
Once finished, use New-ComplianceSearchAction -Purge to delete
Reviewing Audit Logs for Data Exfiltration
Under the DPDP Act 2023, Indian organizations are required to report data breaches to the Data Protection Board. Review the FileDownloaded events in the OfficeActivity logs to determine exactly what data was accessed. Look for high volumes of downloads within a short timeframe originating from the compromised account.
OfficeActivity
| where Operation == "FileDownloaded" | where UserId == "[email protected]" | summarize count() by FileName, ClientIP, bin(TimeGenerated, 1h) | where count_ > 50
The Indian Context: Compliance and Infrastructure
Indian enterprises often face unique challenges, such as a high reliance on mobile-first workforces and varied ISP security postures. CERT-In frequently issues advisories regarding APT groups like MuddyWater. Following the DPDP Act 2023, the financial implications of a data breach can reach up to ₹250 crore for significant non-compliance. Ensuring robust logging and rapid response capabilities for collaboration tools like Teams is no longer optional; it is a regulatory necessity.
We have observed that many Indian firms utilize localized ISPs that may not implement DNS-level filtering for known C2 domains. Implementing a centralized DNS security solution (like Cisco Umbrella or NextDNS) can provide an additional layer of defense by blocking the resolution of domains used in MuddyWater campaigns.
Monitoring for NTLM Relay Attempts
To detect the NTLM relay attacks mentioned earlier, monitor your firewall logs for outbound traffic on port 445 (SMB) originating from user workstations. In a modern cloud-first environment, there is rarely a legitimate reason for a workstation to initiate an outbound SMB connection to a public IP address.
# Check for active outbound SMB connections on a Linux-based gateway
grep ":445" /var/log/syslog | grep "OUTBOUND" | awk '{print $1, $2, $11}'
Next Command: Run Get-MgAuditLogDirectoryAudit -Filter "Category eq 'GroupManagement' and ActivityDisplayName eq 'Add member to group'" | Select-Object -Property ActivityDateTime, TargetResources to audit all recent group additions for external entities.