Severity: CRITICAL | Affected Sectors: Government, Financial Services, Telecommunications | Region: East Africa, Horn of Africa

The Threat

The Iranian state-sponsored hacking group MuddyWater - also tracked as Mango Sandstorm, Seedworm, and Static Kitten - has been caught running an active campaign that weaponizes Microsoft Teams to steal credentials and deploy ransomware. Documented by Rapid7 in early 2026, the attack is classified as a "false flag" operation, meaning the group deliberately disguises its activity to look like a different threat actor, complicating attribution and slowing organizational response.

The attack chain is deceptively simple: MuddyWater operatives pose as IT support staff or trusted colleagues inside Teams chat, using social engineering to trick employees into handing over login credentials or installing malicious remote access tools. Once inside, they move laterally, escalate privileges, and stage ransomware payloads.

This is not a phishing email you can train users to spot. It arrives inside your own collaboration platform, from what appears to be a trusted internal contact.

Impact Assessment for East African Organizations

Microsoft Teams is now standard infrastructure across Kenyan government ministries, Ethiopian federal agencies, Somali financial institutions, and regional banks operating under CBK, NBE, and CBS regulatory frameworks. Any organization using Teams for internal communication is a potential target.

The risks are compounded by several regional factors:

  • Thin IT security teams: Most East African public sector agencies and mid-tier banks lack dedicated incident response capacity to detect lateral movement after initial credential compromise.
  • High ransomware impact: A successful ransomware deployment against a government ministry or regional bank could trigger regulatory reporting obligations under the Kenya Data Protection Act 2019, CBK Cybersecurity Guidelines, and the Computer Misuse and Cybercrimes Act - with potential fines and reputational damage.
  • False flag complexity: The group's deliberate obfuscation means standard threat intelligence feeds may not flag the attack in time. Behavior-based detection is essential.
  • Geopolitical exposure: Horn of Africa organizations - particularly those with ties to government contracts, infrastructure projects, or international financial corridors - are historically higher-value targets for state-sponsored actors.

Immediate Actions - Do These Now

  • Audit Microsoft Teams external access settings immediately. Disable or strictly limit guest access and external domain federation unless operationally required. Review which external parties can initiate chats with your staff.
  • Enable and review Teams audit logs. If your organization is on Microsoft 365, activate Unified Audit Logging and flag anomalous messaging patterns - especially unsolicited IT support requests via Teams chat.
  • Enforce phishing-resistant MFA across all Microsoft 365 accounts. SMS-based MFA is insufficient. Deploy FIDO2 hardware keys or Microsoft Authenticator with number matching for all privileged users immediately.
  • Brief staff on in-platform social engineering. Your workforce is trained to distrust email links. They are almost certainly not trained to distrust a Teams message from "IT Support." Run an emergency awareness session this week.
  • Isolate and review privileged accounts. MuddyWater's lateral movement depends on escalating from a standard user to a privileged one. Audit your Active Directory and Entra ID for stale admin accounts, over-permissioned roles, and unused service accounts.

DRONGO Recommendation

DRONGO's SOC team is actively monitoring MuddyWater indicators of compromise (IOCs) across client environments in Kenya, Somalia, and Ethiopia. If your organization runs Microsoft 365 or Teams without behavioral monitoring and a tested incident response plan, your exposure is real and measurable. We can assess it in 48 hours.

Is your organization protected? Request a free security assessment.