Fake Microsoft Teams 'IT Support' Messages Deliver ModeloRAT in Enterprise Intrusion Chain
Rapid7 details an April 2026 enterprise intrusion that began with a fake Microsoft Teams 'IT Support' message and escalated through Python malware, privilege escalation, credential theft, and lateral movement.
In April 2026, Rapid7 investigated an enterprise intrusion that began with a Microsoft Teams message from a fake “IT Support” account and quickly escalated into a full compromise chain involving malware deployment, privilege escalation, credential theft, lateral movement, and exfiltration. The incident illustrates a critical risk for modern enterprises: Collaboration platforms have become part of the attack surface, and when combined with identity abuse and Living-off-the-Land techniques, they can provide attackers with a low-friction path into the environment.
The attack started with abuse of Microsoft Teams external access. This feature, enabled by default in some environments, allows users in one tenant to initiate direct chats with users in another. The attacker used a newly created tenant UCICasociacion.onmicrosoft[.]com to impersonate “IT Support” and messaged a targeted employee. This approach mirrors tradecraft seen in Octo Tempest-style campaigns, which are known for aggressive social engineering tactics including helpdesk impersonation, SIM swapping, and MFA manipulation.
Within minutes of the Teams interaction, a PowerShell stager executed on the endpoint and reached out to Dropbox to retrieve a ZIP archive (Winp.zip) into the user’s AppData directory. The archive was immediately extracted and deleted, likely to reduce on-disk artifacts. The payload contained a portable WinPython environment, which the attacker used to launch the next stage: collector.py for reconnaissance and Pmanager.py, the primary C2 agent identified as ModeloRAT. Execution was handled via pythonw.exe, which allowed the script to run in the background without showing the terminal window.
Rapid7’s technical analysis linked the Python malware to ModeloRAT, a framework previously documented by multiple security vendors in browser extension campaigns and associated with the KongTuke group. The attacker then escalated privileges to SYSTEM using CVE-2023-36036, a Windows privilege escalation vulnerability that was patched by Microsoft in November 2023. After gaining elevated access, the attacker deployed a fake Windows lock screen designed to harvest the user’s domain password.
Once valid credentials were obtained, the intrusion shifted from endpoint compromise to broader identity-driven risk. The attacker moved laterally to a second host and used legitimate tooling such as DumpIt to collect system memory, which was likely exfiltrated via an anonymous file-sharing service. This progression underscores a key reality for defenders: Once collaboration, identity, and endpoint controls are bypassed or weakened, attackers can rapidly convert initial access into meaningful enterprise exposure.
The attack chain exploited Teams external access, a patched privilege-escalation vulnerability, and trusted tools like Python, PowerShell, and Dropbox to bypass controls. Rapid7 noted that none of these tools are unusual in enterprise environments, which is precisely what allowed the attacker to blend in while moving quickly. The campaign is available in Rapid7’s Intelligence Hub, providing customers with curated context, indicators, and threat actor tradecraft. Relevant detections are also available in InsightIDR.
For CISOs, the incident underscores that collaboration tools are part of the attack surface. Attackers used Teams to reach users directly, and security, identity protection, endpoint visibility, and rapid detection engineering must be treated as connected parts of the same defense strategy. The challenge isn’t identifying one suspicious event; it’s recognizing when normal activity starts to form a pattern, and acting before that pattern turns into widespread exposure.