Conceptual image illustrating cybersecurity threats targeting Microsoft Teams for data protection in professional services.

When employees receive a Microsoft Teams message from "IT Support," they rarely question its legitimacy. After all, Teams is the official communication channel for millions of organizations worldwide. This trust is precisely what makes the ModeloRAT campaign so devastating for professional service firms. (Source: Rapid7)

The April 2026 incident investigated by Rapid7 reveals a harsh reality: attackers achieved complete domain compromise within 48 hours using nothing more than a Teams message and social engineering. The victim organization lost control of critical systems, had memory dumps containing passwords exfiltrated, and faced potential exposure of client data across their entire network.

ModeloRAT transforms Microsoft Teams from a collaboration tool into a persistent backdoor through a deceptively simple mechanism. The malware establishes multiple command-and-control channels that allow attackers to execute commands remotely, capture screenshots, upload and download files, and move laterally through the network. Think of it as giving attackers their own IT administrator account - except this one operates invisibly, survives system reboots, and can't be disabled through normal administrative controls.

What makes Teams particularly dangerous as an attack vector goes beyond traditional phishing concerns. Unlike email, which passes through spam filters and security gateways, Teams messages appear as direct business communications within the trusted workspace. The platform's external access feature, enabled by default in many environments, allows anyone with a Microsoft 365 tenant to message your employees directly. There's no suspicious email domain to scrutinize, no attachment warnings to heed - just what appears to be a routine support request from IT.

The business implications extend far beyond a single compromised endpoint. Once ModeloRAT establishes its foothold, it deploys a portable Python environment that operates independently of installed software. This means traditional application controls and software inventories won't detect it. The malware then uses legitimate Windows tools like PowerShell and rundll32.exe to blend in with normal system activity while mapping your network, harvesting credentials, and identifying valuable data repositories.

Professional service firms represent prime targets for this campaign due to their unique risk profile. Law firms store sensitive client litigation strategies and merger documents. Accounting firms maintain financial records and tax information for hundreds of businesses. Consulting firms possess intellectual property, strategic plans, and competitive intelligence from multiple industries. A single successful ModeloRAT infection provides attackers access not just to one organization, but potentially to the confidential data of every client that firm serves.

The financial services sector faces particular exposure because of stringent compliance requirements and the high value of financial data. Healthcare organizations, already struggling with ransomware attacks, now face an additional vector that bypasses traditional email security. Technology companies risk exposure of source code, product roadmaps, and customer databases.

Perhaps most concerning is the speed of escalation. The investigated incident progressed from initial Teams message to memory dump exfiltration in under two days. During this window, the attackers deployed multiple persistence mechanisms, harvested domain credentials through a fake lock screen, and established redundant command channels. By the time most organizations would detect unusual activity, the attackers had already achieved their objectives and begun data exfiltration through anonymous file-sharing services.

The Attack Chain: From Initial Compromise to Domain Takeover

The attack unfolds with surgical precision across distinct phases, each building on the previous compromise to deepen the attacker's foothold. Understanding this progression reveals why traditional perimeter defenses fail against this campaign.

Phase 1: Social Engineering Through Trusted Channels
The initial breach begins when an employee receives a Microsoft Teams message from what appears to be internal IT support. The attacker creates a rogue Microsoft 365 tenant - UCICasociacion.onmicrosoft.com - and configures the display name to match legitimate IT personnel. This mirrors tactics from the Octo Tempest playbook, where attackers exploit the default Teams external access settings that many organizations leave enabled.

Within minutes of the Teams interaction, a hidden PowerShell command executes on the victim's endpoint. The stager reaches out to Dropbox - a service rarely blocked by corporate firewalls - and downloads Winp.zip containing a portable Python environment. This "bring your own interpreter" technique bypasses application whitelisting since Python itself isn't malicious.

Phase 2: Reconnaissance and Beachhead Establishment
The downloaded package contains two critical components: collector.py and Pmanager.py. Collector.py immediately profiles the compromised host, gathering system information, network configurations, and domain relationships. It generates an 8-character fingerprint that uniquely identifies this victim to the command-and-control infrastructure.

Pmanager.py establishes the primary ModeloRAT beacon, rotating communications across five hardcoded IP addresses on port 80. This HTTP-based traffic blends seamlessly with normal web browsing. The malware can execute PowerShell commands, load DLLs through rundll32, and deploy additional Python modules - all while maintaining persistence through scheduled tasks.

Phase 3: Privilege Escalation Through Known Vulnerability
Approximately two hours after initial compromise, the attacker deploys ssss.dll - a reflective loader containing an exploit for CVE-2023-36036. This vulnerability in the Windows Cloud Files Mini Filter Driver allows local privilege escalation through heap buffer overflow. The exploit registers a fake sync provider called "PLURIBUS" and triggers the overflow by writing to a placeholder file.

Key Insight: Phase 3: Privilege Escalation Through Known Vulnerability Approximately two hours after initial compromise, the attacker deploys ssss.dll - a reflective loader containing an exploit for CVE-2023-36036.

The sophistication lies in the implementation: rather than directly elevating privileges, the exploit spawns a helper thread that continuously checks for SeDebugPrivilege. Once the kernel corruption succeeds, this thread immediately launches internal.py with SYSTEM privileges. The entire escalation completes in under 30 seconds.

Phase 4: Credential Harvesting Through Deception
With SYSTEM access secured, the attacker deploys com6848.dll - a credential harvester disguised as a Windows lock screen. When executed, it renders a pixel-perfect replica of the Windows 10 lock screen, complete with embedded fonts. Users naturally enter their domain passwords to "unlock" their workstations, unknowingly providing the attacker with valid credentials.

This technique solves a critical problem: while SYSTEM privileges control the local machine, they cannot authenticate as the user to network resources. The harvested domain password enables access to file shares, email, and other systems where the user has permissions.

Phase 5: Lateral Movement and Data Collection
Armed with domain credentials, the attacker establishes RDP connections to additional workstations. On the second compromised host, they download the Comae toolkit and execute DumpIt.exe to capture system memory containing LSASS process data. This memory dump reveals cleartext passwords, NTLM hashes, and Kerberos tickets for other domain accounts.

The attacker exfiltrates the memory dump through uploadnow.io, an anonymous file-sharing service that requires no authentication. Throughout this phase, they also perform Kerberoasting attacks against service accounts and use WebDAV authentication spraying to identify systems accepting the compromised credentials.

ModeloRAT Attack Chain Progression

Phase 1
Social Engineering Breach
Rogue Teams message from fake IT support using UCICasociacion.onmicrosoft.com tenant. PowerShell stager downloads Python payload from Dropbox.
Winp.zip → Portable Python
T+0 minutes
Phase 2
Reconnaissance & C2
collector.py profiles system and generates 8-char fingerprint. Pmanager.py establishes ModeloRAT beacon across 5 IPs on port 80.
HTTP C2 Traffic
T+30 minutes
Phase 3
Privilege Escalation
Deploys ssss.dll exploiting CVE-2023-36036 in Windows Cloud Files Mini Filter. Creates fake "PLURIBUS" sync provider for heap overflow.
CVE-2023-36036
T+2 hours

Detection: What to Look For in Logs and Network Traffic

Security teams hunting for ModeloRAT activity need to focus on behavioral patterns that distinguish this campaign from legitimate Teams usage and standard Python installations. The following detection opportunities provide high-confidence indicators with minimal false positives when correlated together.

Teams-Specific Behavioral Anomalies

Monitor Azure AD sign-in logs for Teams authentication from newly created tenants containing generic organization names. The UCICasociacion tenant pattern shows attackers creating disposable identities with official-sounding names. Flag any Teams external chat requests where the sender's tenant age is less than 30 days - legitimate IT departments don't operate from brand-new tenants.

Teams audit logs reveal critical bot and connector activity. Search for external users initiating chat sessions who immediately share links or request screen sharing within the first five messages. The ModeloRAT operators move quickly from initial contact to payload delivery, creating a distinctive timing signature. Additionally, monitor for Teams PowerShell module usage from accounts that have never previously administered Teams - attackers often automate their initial outreach using Teams Graph API calls that legitimate IT rarely employs for one-on-one support.

Process Execution Chains That Signal Compromise

The ModeloRAT infection creates a unique process tree that EDR solutions can detect through parent-child relationship monitoring. Look for this specific sequence:

  • powershell.exe spawning expand-archive operations in %APPDATA% followed by immediate file deletion
  • pythonw.exe processes launching from user profile directories rather than Program Files
  • Multiple pythonw.exe instances running simultaneously with different script arguments
  • rundll32.exe executing DLLs with single-word exports like "open" or "startproc"
  • wsmprovhost.exe spawning on systems where WinRM is typically disabled

Memory forensics tools should specifically search for DumpIt.exe execution patterns. This tool creates distinctive artifacts: a memory.dmp file matching system RAM size, followed by immediate network connections to file-sharing domains. The two-minute window between Comae toolkit extraction and uploadnow[.]io access provides a reliable detection opportunity.

Network Traffic Patterns

ModeloRAT's C2 infrastructure exhibits predictable network behavior that distinguishes it from legitimate traffic. Configure network monitoring to alert on:

HTTP beacons to multiple IP addresses in rapid succession, particularly when the same endpoint cycles through different IPs on port 80. The five hardcoded C2 servers create a rotation pattern where failed connections immediately retry with the next IP in sequence. This differs from legitimate applications that typically use DNS resolution or stick to primary/backup server pairs.

WebDAV authentication attempts using davclnt.dll generate SMB traffic patterns to internal systems. A single host attempting WebDAV connections to more than 10 internal IPs within five minutes indicates credential validation sweeps. These connections fail quickly when credentials don't work, creating a spike in TCP RST packets.

Critical Log Sources for ModeloRAT Detection

Windows Event ID 4688 (Process Creation) captures the entire attack chain when command-line logging is enabled. Filter for processes containing "WPy64-31401" or Python installations outside standard directories. Security teams should prioritize these events when the creating process is powershell.exe or cmd.exe running with hidden window flags.

Organizations detecting even one pythonw.exe process running from %APPDATA% should immediately isolate the affected system - this pattern appears in 100% of confirmed ModeloRAT infections.

Sysmon Event ID 11 (File Creation) reveals the PLURIBUS sync provider registration in %TEMP%\cldflt. This directory name combined with registry modifications to HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SyncRootManager confirms privilege escalation attempts via CVE-2023-36036.

Immediate Response Actions (Next 24-48 Hours)

When ModeloRAT infiltrates your environment through Teams, every hour counts. The attacker's timeline shows rapid progression from initial access to memory dump exfiltration within 48 hours. Your response must be equally swift and methodical.

IMMEDIATE Actions (Within 4 Hours): Contain Active Threats

Start by auditing all Teams Power Automate connectors and Graph API applications registered in the last 30 days through the Microsoft 365 admin center. Navigate to Azure Active Directory > Enterprise Applications and filter by creation date. Any application with names containing generic terms like "Support," "Helper," or "Admin" requires immediate investigation. The attacker's UCICasociacion tenant demonstrates how threat actors create legitimate-looking identities that bypass casual inspection.

Query your EDR for Python processes spawned by pythonw.exe with parent process powershell.exe or cmd.exe. ModeloRAT's portable WinPython deployment leaves distinctive artifacts: look for WPy64-31401 directories in user AppData folders. Any hits require immediate isolation - disconnect the system from network but maintain power to preserve volatile evidence.

Check for Teams channels being weaponized as command-and-control infrastructure. Run this Graph API query: GET /teams/{team-id}/channels?$filter=createdDateTime ge {date-30days}. Channels created by external guests or containing base64-encoded messages in chat history indicate potential C2 activity. The attacker's use of HTTP beacons demonstrates how collaboration tools become covert communication channels.

URGENT Actions (Within 24 Hours): Disrupt Lateral Movement

Force re-authentication for all users who received Teams messages from external tenants in the past week. Use Azure AD Conditional Access to require fresh authentication with MFA verification. Target professional services staff first - they're prime targets for IT support impersonation. Configure session controls to expire tokens after 4 hours during this containment period.

Deploy PowerShell audit logging across your environment if not already enabled. The attacker's extensive use of hidden PowerShell sessions (-WindowStyle Hidden) requires visibility into command execution. Enable ScriptBlock logging via Group Policy: Computer Configuration > Policies > Administrative Templates > Windows Components > Windows PowerShell. Set "Turn on PowerShell Script Block Logging" to capture the attacker's reconnaissance commands.

Review Teams audit logs for external access patterns. Search for event types "MemberAdded" and "GuestAdded" where the user domain doesn't match your organization. The Unified Audit Log query: Search-UnifiedAuditLog -Operations "TeamsMemberAdded" -StartDate (Get-Date).AddDays(-7) reveals external infiltration attempts. Any external user initiating private chats with multiple employees indicates reconnaissance activity.

SHORT-TERM Actions (Within 48 Hours): Eliminate Persistence

Deploy the CVE-2023-36036 patch immediately to all Windows systems. The attacker's successful privilege escalation through cldflt.sys demonstrates that this two-year-old vulnerability remains highly effective. Systems running OneDrive or other cloud sync providers face elevated risk - prioritize these for patching.

Key Insight: The attacker's successful privilege escalation through cldflt.sys demonstrates that this two-year-old vulnerability remains highly effective.

Implement Conditional Access policies restricting Teams external access by device compliance status. Require managed devices for any external collaboration. Configure the policy: Azure AD > Security > Conditional Access > New Policy > Cloud apps: Microsoft Teams > Conditions: Users from external organizations > Grant: Require device to be marked as compliant.

Reset credentials for any account that received Teams messages from suspicious external tenants. But don't stop at passwords - the attacker's fake lock screen harvested domain credentials after achieving SYSTEM privileges. Revoke all refresh tokens and require re-enrollment of MFA devices. The memory dump exfiltration means assume all cached credentials on affected systems are compromised.

Long-Term Hardening: Preventing Teams-Based Persistence

Organizations that survive sophisticated Teams-based attacks share one characteristic: they've transformed Microsoft Teams from an open collaboration platform into a controlled communication channel with enforced security boundaries. The architectural changes required go beyond basic security hygiene - they demand fundamental shifts in how Teams integrates with your identity infrastructure and endpoint controls.

Redefining Teams as a Privileged Application

Teams must transition from a default-enabled service to a conditionally accessible application. Configure Azure AD Conditional Access policies that treat Teams connections as high-risk authentication events requiring stepped-up verification. Mandate device compliance checks that verify BitLocker encryption, Windows Defender status, and domain membership before granting Teams access. This prevents attackers from accessing Teams through compromised personal devices or anonymous VPN endpoints.

Geographic velocity checks become critical when Teams spans global operations. Configure impossible travel detection with a 4-hour window - if a user authenticates from New York at 9 AM and Beijing at 11 AM, block the session and trigger security review. Pair this with named location policies that restrict Teams access for privileged accounts to specific office IP ranges, preventing remote exploitation of administrator credentials.

Architecting Zero-Trust Bot and Connector Governance

The Teams application ecosystem represents your largest unmanaged attack surface. Implement Azure AD application consent policies that route all Teams app installation requests through security review workflows. Configure the Teams admin center to block sideloading of custom apps entirely - legitimate business integrations should flow through official app governance processes. Create an allowlist of approved Power Automate connectors and Graph API permissions, rejecting any automation that requests mail.read, files.readwrite, or user.readwrite scopes without documented business justification.

Deploy Microsoft Cloud App Security policies that inspect Teams bot behavior in real-time. Configure anomaly detection rules that flag bots sending messages to multiple users within 60 seconds, accessing files across different SharePoint sites, or initiating external sharing links. These patterns indicate reconnaissance and staging activities that precede credential harvesting attempts.

Endpoint Application Control Against Python-Based Threats

Windows Defender Application Control (WDAC) policies must explicitly block portable Python interpreters and memory dumping utilities. Create code integrity policies that prevent execution of pythonw.exe and python.exe unless signed by your organization's certificate. Configure AppLocker rules that block execution from %APPDATA%, %TEMP%, and %USERPROFILE%\Downloads directories where attackers typically stage their tooling.

For memory protection, implement Attack Surface Reduction (ASR) rules that block credential stealing from the Windows local security authority subsystem. Enable the "Block credential stealing from the Windows local security authority subsystem (lsass.exe)" rule in audit mode initially, then enforce after validating legitimate administrative tools. Configure Process Creation events in Windows Event Forwarding to capture command-line arguments for rundll32.exe, particularly those referencing davclnt.dll which indicates WebDAV reconnaissance.

Teams-Specific Threat Hunting Infrastructure

Establish PowerShell script block logging across all endpoints to capture obfuscated stager execution. Configure Enhanced PowerShell logging with a minimum retention of 90 days, focusing on scripts containing IWR, Expand-Archive, or Start-Process combinations. Deploy Microsoft Defender for Endpoint custom detection rules that correlate Teams process creation with subsequent PowerShell activity within a 5-minute window - this pattern indicates initial payload delivery.

Build KQL queries in Microsoft Sentinel that join Teams audit logs with Azure AD sign-in data to identify external tenant communications followed by suspicious authentication events. Focus on patterns where external Teams messages precede failed MFA challenges, password spray attempts, or token refresh anomalies that suggest account takeover attempts.

Attribution and Threat Actor Context

The ModeloRAT campaign represents a convergence of multiple threat actor methodologies, though attribution remains complex due to overlapping tactics and shared infrastructure. While Rapid7's analysis links the Python malware framework to KongTuke group operations, the social engineering patterns and identity-focused tradecraft align with documented behaviors from Octo Tempest (also tracked as Scattered Spider, UNC3944, and 0ktapus by different security vendors).

These designations don't necessarily represent distinct groups but rather tracking clusters that security vendors use to monitor evolving campaigns. The Octo Tempest cluster emerged in 2022 as a financially motivated operation specializing in helpdesk impersonation, SIM swapping, and MFA manipulation targeting technology and telecommunications sectors. Their evolution toward professional service firms represents a calculated shift in targeting strategy.

Professional service firms present unique value propositions for these actors. Unlike traditional enterprises with segmented networks, consulting firms maintain broad access to multiple client environments through managed service provider relationships. A single compromised consultant account potentially unlocks dozens of downstream targets. The April 2026 incident demonstrates this multiplier effect - after establishing domain control, the attacker immediately began mapping accessible client systems through the compromised identity's existing trust relationships.

The financial motivation becomes clear when examining the attacker's post-exploitation priorities. Rather than deploying ransomware immediately, they focused on credential harvesting and memory collection. The DumpIt memory acquisition captured LSASS process data containing cleartext passwords, NTLM hashes, and Kerberos tickets - essentially a master key collection for the entire domain. This patient approach suggests data brokerage operations where stolen credentials command premium prices on underground markets.

ModeloRAT's integration into this actor's toolkit fills a critical operational gap. Previous KongTuke campaigns relied on malicious browser extensions requiring user interaction to maintain persistence. The Python-based framework eliminates this dependency through scheduled tasks and multiple backdoor modules. The framework's modular architecture - with separate components for reconnaissance, command execution, tunneling, and proxy services - indicates professional development resources typically associated with organized cybercrime operations rather than opportunistic attackers.

The timing and target selection suggest strategic intelligence gathering beyond simple financial theft. Professional service firms handling mergers, acquisitions, and corporate restructuring possess market-moving information valuable for insider trading operations. The attacker's careful avoidance of detection - using Living-off-the-Land binaries and legitimate tools like WebDAV for credential validation - indicates awareness that premature discovery would eliminate access to this intelligence stream.

Geographic patterns in the C2 infrastructure reveal operational security practices consistent with Eastern European cybercrime groups, though definitive attribution remains elusive. The distributed hosting across multiple providers and rapid rotation between IP addresses suggests access to bulletproof hosting services that ignore abuse complaints. This infrastructure investment, combined with the custom exploit development for CVE-2023-36036, indicates sustained funding sources whether through previous successful operations or external sponsorship.

Understanding these actors' persistence and capabilities shapes defensive priorities. They maintain operations across multiple campaigns simultaneously, learning from each intrusion to refine techniques. The progression from browser-based attacks to Teams-based social engineering demonstrates adaptive behavior responding to improved endpoint detection capabilities. Security teams should expect continued evolution as these groups probe for new initial access vectors while maintaining their core objective: converting trusted access into marketable intelligence.

Table of contents

Top hits