KongTuke Microsoft Teams initial access campaign
Campaign
Summary
Hide ▲
Show ▼
The KongTuke campaign now uses Microsoft Teams social engineering to gain persistent access to corporate networks, shortening initial compromise to under five minutes and increasing downstream abuse risk. Operators pose as IT/help-desk staff and push victims to run a malicious PowerShell command that deploys ModeloRAT. The activity has run since at least April 2026 and has rotated through five Microsoft 365 tenants to evade blocking.
Related Happenings
Microsoft Teams admin policy adds approval-based control for third-party bots
Security Tool/Service
H score11
First: 30.06.2026 13:52
Last: 30.06.2026 13:52
Sources 1
About this happening:
Microsoft Teams introduced an **admin policy** that lets organizers prevent **third-party bots** from joining meetings without approval. The control improves **visibility** over e...
Microsoft Teams admin policy adds approval-based control for third-party bots
Security Tool/ServiceAbout this happening: Microsoft Teams introduced an **admin policy** that lets organizers prevent **third-party bots** from joining meetings without approval. The control improves **visibility** over e...
Microsoft Teams third-party bot approval controls for meeting social-engineering risk
Defensive Guidance
H score11
First: 30.06.2026 13:52
Last: 30.06.2026 13:52
Sources 1
About this happening:
**Microsoft Teams** has added admin controls that block **third-party bots** without approval, reducing **meeting social-engineering risk** across managed tenants. The policy impr...
Microsoft Teams third-party bot approval controls for meeting social-engineering risk
Defensive GuidanceAbout this happening: **Microsoft Teams** has added admin controls that block **third-party bots** without approval, reducing **meeting social-engineering risk** across managed tenants. The policy impr...
KongTuke ClickFix and Teams access-seeking campaign
Campaign
H score33
First: 25.06.2026 11:54
Last: 25.06.2026 11:54
Sources 1
About this happening:
The **KongTuke** operation is using **ClickFix** lures and **Microsoft Teams** messages to widen access-seeking attacks against **multiple organizations**, increasing the risk of...
KongTuke ClickFix and Teams access-seeking campaign
CampaignAbout this happening: The **KongTuke** operation is using **ClickFix** lures and **Microsoft Teams** messages to widen access-seeking attacks against **multiple organizations**, increasing the risk of...
Backdoor.Turn Microsoft Teams TURN relay malware activity
Malware Activity
H score29
First: 16.06.2026 13:18
Last: 16.06.2026 13:18
Sources 1
About this happening:
**Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...
Backdoor.Turn Microsoft Teams TURN relay malware activity
Malware ActivityAbout this happening: **Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...
Microsoft 365 Copilot Enterprise SearchLeak remote code execution flaw (CVE-2026-42824)
Vulnerability
H score34
First: 15.06.2026 16:00
Last: 15.06.2026 16:00
Sources 1
About this happening:
**Microsoft 365 Copilot Enterprise Search** has a **critical** vulnerability chain, **SearchLeak**, that could let a user leak **emails, calendar details, MFA codes, and indexed f...
Microsoft 365 Copilot Enterprise SearchLeak remote code execution flaw (CVE-2026-42824)
VulnerabilityAbout this happening: **Microsoft 365 Copilot Enterprise Search** has a **critical** vulnerability chain, **SearchLeak**, that could let a user leak **emails, calendar details, MFA codes, and indexed f...
Timeline
-
14.05.2026 15:12 2 articles · 1mo ago
KongTuke uses Microsoft Teams to social-engineer employees
Initial DisclosureKongTuke uses Microsoft Teams social engineering against company employees, posing as IT and help-desk staff to persuade victims to run a malicious PowerShell command that downloads a Dropbox ZIP, loads a portable WinPython environment, and launches ModeloRAT. The campaign has been active since at least April 2026, has rotated through five Microsoft 365 tenants to evade blocking, and defenders can blunt the activity by restricting external Microsoft Teams federation with allowlists and hunting for indicators of compromise.
Show sources
- KongTuke hackers now use Microsoft Teams for corporate breaches — www.bleepingcomputer.com — 14.05.2026 15:12
- KongTuke hackers now use Microsoft Teams for corporate breaches — www.bleepingcomputer.com — 14.05.2026 15:12