Find notable cyber news and cases, enriched with sources, timelines, and signals.

KongTuke Microsoft Teams initial access campaign

Campaign
First reported
Last updated
Happening score
H score 42
1 unique sources, 1 articles

Summary

Hide ▲

The KongTuke campaign now uses Microsoft Teams social engineering to gain persistent access to corporate networks, shortening initial compromise to under five minutes and increasing downstream abuse risk. Operators pose as IT/help-desk staff and push victims to run a malicious PowerShell command that deploys ModeloRAT. The activity has run since at least April 2026 and has rotated through five Microsoft 365 tenants to evade blocking.

Related Happenings

Microsoft Teams admin policy adds approval-based control for third-party bots

Security Tool/Service
H score11 First: 30.06.2026 13:52 Last: 30.06.2026 13:52 Sources 1

About this happening: Microsoft Teams introduced an **admin policy** that lets organizers prevent **third-party bots** from joining meetings without approval. The control improves **visibility** over e...

Microsoft Teams third-party bot approval controls for meeting social-engineering risk

Defensive Guidance
H score11 First: 30.06.2026 13:52 Last: 30.06.2026 13:52 Sources 1

About this happening: **Microsoft Teams** has added admin controls that block **third-party bots** without approval, reducing **meeting social-engineering risk** across managed tenants. The policy impr...

KongTuke ClickFix and Teams access-seeking campaign

Campaign
H score33 First: 25.06.2026 11:54 Last: 25.06.2026 11:54 Sources 1

About this happening: The **KongTuke** operation is using **ClickFix** lures and **Microsoft Teams** messages to widen access-seeking attacks against **multiple organizations**, increasing the risk of...

Backdoor.Turn Microsoft Teams TURN relay malware activity

Malware Activity
H score29 First: 16.06.2026 13:18 Last: 16.06.2026 13:18 Sources 1

About this happening: **Backdoor.Turn** is a **Go-based RAT** tied to **DragonForce ransomware** operators that hid command-and-control traffic through **Microsoft Teams TURN relay infrastructure** dur...

Microsoft 365 Copilot Enterprise SearchLeak remote code execution flaw (CVE-2026-42824)

Vulnerability
H score34 First: 15.06.2026 16:00 Last: 15.06.2026 16:00 Sources 1

About this happening: **Microsoft 365 Copilot Enterprise Search** has a **critical** vulnerability chain, **SearchLeak**, that could let a user leak **emails, calendar details, MFA codes, and indexed f...

Timeline

  1. 14.05.2026 15:12 2 articles · 1mo ago

    KongTuke uses Microsoft Teams to social-engineer employees

    Initial Disclosure

    KongTuke uses Microsoft Teams social engineering against company employees, posing as IT and help-desk staff to persuade victims to run a malicious PowerShell command that downloads a Dropbox ZIP, loads a portable WinPython environment, and launches ModeloRAT. The campaign has been active since at least April 2026, has rotated through five Microsoft 365 tenants to evade blocking, and defenders can blunt the activity by restricting external Microsoft Teams federation with allowlists and hunting for indicators of compromise.

    Show sources