A newly identified threat group, UNC6692, has been caught running a sophisticated multistage intrusion campaign that uses Microsoft Teams impersonation<\/a>, a custom modular malware suite, and cloud infrastructure abuse to deeply penetrate enterprise networks, all without exploiting a single software vulnerability.<\/p>\n Google Threat Intelligence Group (GTIG) and Mandiant researchers disclosed the campaign on April 22, 2026, revealing how UNC6692 systematically manipulates employee trust in everyday enterprise tools to gain full domain-level access.<\/p>\n In late December 2025, UNC6692 launched a mass email bombing campaign against its targets, deliberately flooding inboxes to create a sense of urgency and confusion.<\/p>\n With victims overwhelmed and distracted, the threat actor delivered the critical blow by sending a phishing message directly over Microsoft Teams, with the attacker posing as an IT helpdesk employee offering assistance with the email volume.<\/p>\n This technique is not a zero-day exploit or a software flaw. As Microsoft noted in its own April 2026 advisory, the campaign abuses legitimate external collaboration features in Teams, with attackers convincing users to override multiple, clearly presented security warnings.<\/p>\n Victims accepted the Teams chat invitation from an account outside their organization, a seemingly minor action with catastrophic consequences.<\/p>\n Once in contact, the attacker directed the victim to click a link to install a \u201clocal patch\u201d that purportedly prevents email spamming. The link led to a convincing phishing landing page masquerading as a \u201cMailbox Repair and Sync Utility v2.1.5\u201d, hosted on an attacker-controlled AWS S3 bucket, Google said<\/a>.<\/p>\n The page enforced a multi-phase attack pipeline:<\/p>\n UNC6692\u2019s toolset, dubbed the SNOW ecosystem, is a coordinated three-component modular framework:<\/p>\n SNOWBELT maintained persistence through a Windows Startup folder shortcut, two scheduled tasks, and a headless Microsoft Edge process silently loading the extension.<\/p>\n SNOWGLAZE masked malicious traffic by wrapping data in Base64-encoded JSON objects over WebSockets, making it appear as standard encrypted web traffic.<\/p>\n After establishing initial access, UNC6692 executed a Python script via SNOWBASIN to scan the local network for open ports 135, 445, and 3389. Using PsExec sessions routed through the SNOWGLAZE tunnel, the attackers enumerated local administrator accounts and initiated an RDP session to a backup server.<\/p>\n On the backup server, the threat actor used Windows Task Manager to dump the LSASS process memory, capturing password hashes, and exfiltrated the dump via LimeWire.<\/p>\n With hashes in hand and safely off the network, the attacker performed offline credential extraction, then used Pass-the-Hash to authenticate directly to domain controllers without ever needing plaintext passwords.<\/p>\n On the domain controller, the attacker downloaded FTK Imager, mounted the local drive, and extracted the Active Directory database (NTDS.dit), SAM, SYSTEM, and SECURITY registry hives, the crown jewels of any Windows enterprise environment.<\/p>\n These were also exfiltrated via LimeWire. EDR telemetry captured the attacker taking targeted screenshots of active FTK Imager and Edge windows, confirming mission completion.<\/p>\n A defining characteristic of the UNC6692 campaign is its systematic abuse of legitimate cloud services for every stage of the attack payload delivery, credential exfiltration, C2 infrastructure, and data staging, all of which relied on trusted platforms like AWS S3 and Heroku.<\/p>\n This \u201cliving off the cloud\u201d strategy allows malicious traffic to blend into high volumes of encrypted, reputably sourced web traffic, rendering domain reputation filters and IP-based blocklists largely ineffective.<\/p>\n Defenders must expand visibility beyond traditional process monitoring to include browser extension activity, unauthorized cloud egress traffic, and headless browser processes.<\/p>\n Critically, organizations should restrict or closely monitor Microsoft Teams external access settings to prevent unknown tenants from initiating chat sessions with employees.<\/p>\n As UNC6692 demonstrates, the weakest link in enterprise security is not always a misconfigured server it is an employee who trusts a Teams message from someone claiming to be IT.<\/p>\n Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n The post Hackers Leverage Microsoft Teams to Breach Organizations Posing as IT Helpdesk Staff<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjpi6tmsjBqZ3TNdFxTi9W7ng3tlSBfzCsiCwiVS015lo8r4s-jDgOjR1DW9O37q1j9LGcz_RhiOwsAvdaGNsiZyn7W8OCJg9AUeICXBYX9qNP48L9qF-gMYmxsD93iqqj8vzkpWSMAFnxi5bhgeM2O-XMw-QN4n8IBw47Qh1vf9VV5EBefEolnHEmAObvN\/s16000\/Attack%2520Chain%2520teams.webp?ssl=1\")
<\/figure>\n<\/div>\nInfection Chain: From Teams Chat to Full Compromise<\/strong><\/h2>\n
\n
?email=<\/code> parameter and forced victims onto Microsoft Edge via the microsoft-edge:<\/code> URI scheme, ensuring exploits would be most effective.<\/li>\nThe SNOW Malware Ecosystem<\/strong><\/h2>\n
\n\n
\n \nComponent<\/th>\n Type<\/th>\n Role<\/th>\n<\/tr>\n<\/thead>\n \n SNOWBELT<\/td>\n JavaScript browser extension<\/td>\n Initial foothold; intercepts and relays C2 commands; uses DGA-based S3 URLs for C2<\/td>\n<\/tr>\n \n SNOWGLAZE<\/td>\n Python-based WebSocket tunneler<\/td>\n Routes TCP traffic through the victim via a SOCKS proxy to a Heroku C2 server<\/td>\n<\/tr>\n \n SNOWBASIN<\/td>\n Python local HTTP server (port 8000)<\/td>\n Executes shell commands, captures screenshots, exfiltrates files<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n ![\"\"](\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEjicp2nqL7GAPYkPvrJwebCRcUcJ0S4iH3jLnyLu_-rH8B7NvhOqqRrwiuRpeT17iUiC8sc0R3Df-SYLW5X2THwN3B-Uj-t2YOr3DdIcp4CVGYocJPVyGRtx4x8aXtafdYRYGU6CE6eOXXriYIoCEzTo_EUwRcsLIwgcefMkbY3eF1DwigXbS5XXpLlmQOE\/s16000\/snow%2520malware%2520system.webp?ssl=1\")
<\/figure>\nIndicators of Compromise (IOCs)<\/strong><\/h2>\n
\n
https:\/\/service-page-[ID]-outlook.s3.us-west-2.amazonaws.com\/update.html?email=<\/code>\n<\/li>\nwss:\/\/sad4w7h913-b4a57f9c36eb[.]herokuapp[.]com:443\/ws<\/code>\n<\/li>\nhttps:\/\/[a-f0-9]{24}-[0-9]{6,7}-[0-9]{1}.s3.us-east-2.amazonaws[.]com<\/code>\n<\/li>\nBJkWCT45mL0uvV3AssRaq9Gn7iE2N7Lx38ZmWDFCjwhz0zv0QSVhKuZBLTTgAijB12cgzMzqyiJZr5tokRzSJu0<\/code>\n<\/li>\nRegSrvc.exe<\/code> (AutoHotKey binary), Protected.ahk<\/code>, SysEvents<\/code> (SNOWBELT extension directory).<\/li>\n<\/ul>\n