Phantom Access: How Hackers Hijack Microsoft Teams and Google Ads to Breach Your Defenses
State-backed and cybercriminal groups are using trusted platforms and clever trickery to steal logins and bypass multi-factor authentication-leaving even the most secure organizations exposed.
It starts with a click: a seemingly harmless Google ad, or a friendly chat on Microsoft Teams. In 2026, these everyday digital interactions became hunting grounds for sophisticated threat actors-ranging from Eastern European cybercriminals to Iranian state-sponsored hackers. Their goal? Total compromise of your most sensitive systems, all while sidestepping even the strongest security measures like multi-factor authentication (MFA).
Fast Facts
- Hackers are placing fake Google Ads above legitimate results to steal GoDaddy ManageWP credentials.
- Attackers use “adversary-in-the-middle” (AiTM) tactics to relay logins in real time, defeating MFA protections.
- Iranian APT group MuddyWater used Microsoft Teams social engineering to steal credentials and hijack MFA, disguised as ransomware.
- Compromised ManageWP accounts can give attackers control over hundreds of WordPress sites at once.
- Both criminal and nation-state actors are exploiting trust in mainstream platforms to launch high-impact attacks.
Behind the Breach: Malvertising and Messaging as Attack Vectors
In early 2026, security researchers uncovered a wave of attacks targeting administrators of GoDaddy’s ManageWP-a vital tool for controlling fleets of WordPress sites. The scheme was cunningly simple: hackers bought Google Ads mimicking ManageWP, placing them at the top of search results. Unsuspecting users clicking these ads landed on near-perfect phishing pages, where their login credentials-and even temporary MFA codes-were siphoned off in real time using adversary-in-the-middle (AiTM) proxies.
The stolen details were instantly forwarded to attacker-controlled Telegram channels, granting immediate access to entire portfolios of websites. Researchers found the phishing operation ran on a custom, Russian-authored framework, with an operator panel allowing attackers to interactively control each session and handle MFA prompts. Evidence suggested over 200 victims, with the real toll likely far higher due to ManageWP’s widespread use.
Meanwhile, on a different front, the Iranian APT group MuddyWater was caught weaponizing Microsoft Teams. By posing as IT support, they lured employees into sharing credentials via chat and screen-sharing, even instructing them to enroll attacker-controlled devices for MFA. The attackers launched malware-laden remote access tools, establishing persistent footholds in victim networks. Notably, they used the branding of the Chaos ransomware group as a smokescreen, masking their espionage motives behind the chaos of a supposed ransomware incident. Their true aim: long-term access, not ransom payments.
Both campaigns reflect a chilling trend: attackers are no longer brute-forcing their way in. Instead, they are exploiting the blind trust users place in familiar platforms-search engines, chat apps, and MFA prompts. By blending social engineering with technical stealth, they bypass even advanced defenses, turning the very tools meant to protect us into their weapons.
Defending Against the Invisible Hand
Security experts advise a return to basics: never trust sponsored links for logins, always verify URLs, and bookmark official admin pages. Organizations should scrutinize unsolicited Teams messages, monitor for suspicious remote access tools, and audit MFA device enrollments. Most importantly, defenders must look beyond ransomware “noise” to detect the true objectives lurking beneath the surface of every breach.
The message is clear: in a world where trust is weaponized, vigilance is your last line of defense.
WIKICROOK
- Adversary: An adversary is any person or group attempting to breach computer systems or data, often for malicious purposes like theft or disruption.
- Multi: Multi refers to using a combination of different technologies or systems-like LEO and GEO satellites-to improve reliability, coverage, and security.
- Phishing: Phishing is a cybercrime where attackers send fake messages to trick users into revealing sensitive data or clicking malicious links.
- Remote Access Trojan (RAT): A Remote Access Trojan (RAT) is malware that lets attackers secretly control a victim’s computer from anywhere, enabling theft and spying.
- Malvertising: Malvertising is the use of online ads to spread malware, often by tricking users into clicking harmful links-even on trusted websites.




