KongTuke Initial Access Broker Pivots to Microsoft Teams Social Engineering — Five-Minute Corporate Compromise via ModeloRAT

Initial access broker KongTuke has been observed shifting from email phishing to Microsoft Teams as its primary initial access vector, impersonating IT helpdesk and Microsoft support personas to convince targeted employees to accept malicious file transfers via Teams. Sophos X-Ops researchers documented the new campaign, noting that KongTuke can achieve credential harvesting and persistent access in under five minutes from first Teams contact, then lists the access on dark web forums for ransomware affiliate purchase within 24 hours.

Attack Chain

KongTuke’s Teams-based intrusion follows a consistent pattern:

1. Account impersonation: The attacker uses a compromised or freshly registered Microsoft 365 tenant configured with a convincing helpdesk persona (e.g., “IT Support”, “Microsoft Helpdesk”) to initiate a Teams conversation with a targeted employee.
2. Social engineering pretext: The employee is told their device has been flagged for a “critical security update” that must be applied immediately or their account will be suspended. The urgency framing and helpdesk persona exploits the established pattern of legitimate IT contacting employees via Teams.
3. Malicious file delivery: The attacker sends a file named SecurityUpdate_[target_name].exe or a similar convincing filename via Teams file transfer. Teams allows file sharing between tenant users by default.
4. ModeloRAT execution: If the employee executes the file, ModeloRAT — a lightweight remote access trojan with credential harvesting, keylogging, and persistence capabilities — is installed. The tool establishes an encrypted C2 channel and begins credential extraction within seconds.
5. Access sale: Harvested credentials and established access are listed on dark web access broker forums. KongTuke documented turnaround from initial access to listing is 18–24 hours.

Why Teams-Based Attacks Are Effective

Microsoft Teams benefits from an implicit trust advantage that email does not: organisations train users to be sceptical of email attachments but rarely provide equivalent guidance about Teams-based file transfers. Teams messages arriving from what appears to be an IT helpdesk account feel categorically different from a phishing email — they arrive in a professional collaboration context, from what appears to be a colleague or support function.

By default, Teams external access allows users from other Microsoft 365 tenants to contact your organisation’s users. Unless restricted by policy, an employee can receive Teams messages from any M365 tenant, including newly registered ones.

Recommended Actions

• Restrict Teams external access: Review your Microsoft 365 Teams external access settings. Unless there is a business requirement to receive Teams messages from arbitrary external tenants, restrict external access to known, trusted tenant domains only (Settings → Microsoft Teams admin centre → External access).
• Disable file sharing from external tenants: Block file and application sharing from external Microsoft 365 users unless explicitly required (Teams admin centre → External sharing settings).
• User awareness: Brief employees that legitimate IT helpdesk will not contact them via Teams to request urgent software installation. Define and communicate the legitimate channels through which IT will request user action.
• ModeloRAT indicators: Check endpoint detection systems for KongTuke/ModeloRAT IOCs — the tool creates a scheduled task under a system service name and communicates over HTTPS to dynamically-registered domains with short TTLs.