Threat Analysis: PAN-OS Zero-Day and MuddyWater's Teams Deception, What UK SMBs Need to Know
Hello, Mauven here.
This is your Daily Threat Analysis for 6th May 2026.
Two items on the board today. Both are active. Both have a direct line to UK small and medium businesses. I am not going to bury either of them.
Item One: Palo Alto PAN-OS Zero-Day β Actively Exploited, No Patch Available
Palo Alto Networks confirmed this morning that a critical vulnerability in PAN-OS β the operating system that runs their enterprise firewall appliances β is being exploited in the wild. The flaw sits in the User-ID Authentication Portal and allows an unauthenticated attacker to achieve remote code execution on the affected device.
Let me translate that: if your network perimeter runs Palo Alto kit, and your managed service provider has not already acted, an attacker can execute arbitrary code on your firewall without needing credentials. Your firewall. The device that is supposed to be your first line of defence.
There is no patch. Palo Alto has published workarounds, and that is what your provider should be applying right now. The workaround involves disabling the User-ID Authentication Portal on internet-facing interfaces where it does not need to be exposed β which, frankly, raises its own question about why it was exposed in the first place.
The advisory notes active exploitation. That is not βproof of concept exists in the wild.β That means someone is using this right now, against real targets.
What the advisory does not say: We do not yet have confirmed attribution for who is actively exploiting this zero-day, or what sectors are being targeted. That information will emerge over the next 24 to 72 hours as incident responders file reports. What historical pattern tells us β and I am being explicit that this is inference β is that firewall zero-days at this severity level attract nation-state actors and ransomware operators in roughly equal measure during the initial exploitation window. Storm-1175, tracked by Microsoft, has been running high-velocity campaigns targeting exactly this kind of internet-facing vulnerability. Their Medusa ransomware affiliates move from initial access to data exfiltration rapidly. The timing is worth noting.
What UK SMBs should do today:
- If your business uses a managed firewall service, contact your provider now and ask specifically whether they run PAN-OS appliances and what action they have taken on this vulnerability.
- If you manage your own Palo Alto kit, apply the vendor workaround immediately and monitor the Palo Alto security advisory page for patch availability.
- If you use a different firewall vendor, you are not affected by this specific vulnerability β but the broader lesson stands: internet-facing management portals should not be exposed unless there is an operational requirement, and that requirement should be reviewed regularly.
The NCSC has published guidance on network device security that covers exactly this class of risk. The fact that vendors continue to ship internet-facing authentication portals enabled by default, and organisations continue to leave them that way, is a conversation that never seems to go anywhere productive.
Item Two: MuddyWater Using Microsoft Teams as an Attack Vector β With Ransomware as the Smoke and Mirrors
This one requires a bit of unpacking because the headline β βIranian hackers use ransomwareβ β misses what is actually interesting about it.
MuddyWater is a threat actor with links to Iranian state intelligence. They are not a ransomware gang. They are an espionage operation. So when researchers report that MuddyWater is deploying Chaos ransomware, the instinct is to ask what they are doing while everyone is looking at the ransomware.
The answer, based on the reporting, is data exfiltration and persistent access. The ransomware is a decoy. The noise of an encryption event draws response teams to recovery tasks, buys time, and muddies forensic timelines. It is not a new technique β using destructive or disruptive payloads to mask the real objective is documented across multiple Iranian and Russian-linked campaigns β but it is worth stating clearly for organisations that might assume a successful ransomware recovery means the incident is over. In MuddyWaterβs playbook, the ransomware event may mean the incident is just beginning.
The initial access vector here is Microsoft Teams social engineering. MuddyWater operatives are using Teams to contact targets β posing as IT support, vendors, or colleagues β and manipulating them into actions that establish persistence or deliver a payload. This technique has been documented since at least 2023, when similar campaigns were observed targeting organisations in the UK, Israel, and Saudi Arabia. The TTPs have not changed substantially. What has changed is that the volume of external Teams messages arriving in UK business environments has increased, because Teams federation and external access are increasingly enabled as organisations collaborate across organisational boundaries.
If your IT provider or internal IT team has not reviewed your Microsoft Teams external access settings, that is an action item. Teams allows, by default, users from any Teams-enabled domain to initiate contact. That is a large attack surface.
What the reporting does not fully address: MuddyWaterβs targeting in this campaign appears to be primarily in the Middle East and potentially wider. I am not going to claim UK businesses are currently in the crosshairs of this specific campaign, because the evidence does not support that claim. What I will say is that the technique β Teams-based social engineering leading to ransomware deployment β is not exclusive to MuddyWater. Financially motivated actors have been running variants of this playbook for two years. The Iranian nexus makes the attribution interesting. The technique is what matters for UK businesses.
What UK SMBs should do today:
- Review your Microsoft Teams external access policy. If your business does not need to receive Teams messages from arbitrary external domains, restrict it. Microsoft 365 admin centre, Teams admin centre, external access settings.
- Ensure staff know that IT support will never contact them via Teams from an external account asking them to install software, approve access, or run a script.
- If you receive an unexpected Teams message from someone claiming to be from your IT provider or from Microsoft, verify through a separate channel before taking any action.
- Check that your endpoint detection tools are configured to alert on deployment of known ransomware families including Chaos variants.
Context: The Wider Pattern Today
It is worth noting what else is in the threat picture today, even if these items do not rise to the level of a full briefing for most UK SMBs.
A large-scale AiTM (adversary-in-the-middle) credential theft campaign ran between 14th and 16th April, targeting over 35,000 users across 13,000 organisations, primarily in the United States. The lure was code-of-conduct themed emails. The technique bypassed MFA by stealing session tokens rather than credentials. That campaign has been documented by Microsoft. The UK was not confirmed as a primary target in that wave, but the infrastructure and techniques are reusable, and similar campaigns have historically followed US deployments into UK and European environments within weeks.
If your organisation uses Microsoft 365 and relies on MFA as its primary defence against account compromise, it is worth understanding that session token theft bypasses MFA entirely. Conditional access policies that evaluate device compliance and session risk are the next line of defence.