 |
| UNC6692 is exploiting Microsoft Teams' external collaboration features to impersonate IT helpdesk staff and deliver a custom malware suite. |
A newly identified threat group is turning Microsoft Teams into a weapon. By first bombarding corporate inboxes with spam, then posing as friendly IT helpdesk staff, the attackers trick employees into handing over their credentials and unknowingly installing a stealthy malware suite. Security researchers are now warning that this multi‑step social engineering campaign has already breached several enterprise networks.
The group, tracked as UNC6692 by Google Threat Intelligence Group and Mandiant, combines old‑school email flooding with modern collaboration tool abuse. The result is a surprisingly effective attack chain that leaves victims thinking they’ve just solved a spam problem – when in reality, they’ve handed attackers the keys to the kingdom.
How UNC6692 gets in
According to the report from Mandiant and Google’s threat analysts, the attack doesn’t start with a sophisticated exploit. Instead, it begins with a crude but clever tactic: mass email bombing. The attacker floods a targeted employee’s corporate inbox with hundreds or even thousands of spam messages – everything from fake newsletters to undeliverable receipt notifications.
The goal is pure psychological manipulation. Within minutes, the victim’s Outlook or Gmail becomes unusable, generating a sense of urgency and panic. “That’s when the real attack begins,” the report notes. An external account then reaches out to the victim via Microsoft Teams, posing as a member of the company’s internal IT helpdesk. The message is friendly, professional, and offers to fix the spam problem right away.
Because the employee is already overwhelmed by the inbox flood, many accept the chat invitation without a second thought. But as the researchers discovered, the “IT support” agent quickly sends a phishing link disguised as a legitimate repair tool.
As detailed in a recent analysis by Cybersecurity News, the fake page is designed to look convincingly real – complete with Microsoft branding and a progress bar.
The page is called “Mailbox Repair and Sync Utility v2.1.5” , and it features a large green button labeled “Health Check.” Employees who click are prompted to enter their corporate email credentials. Behind the scenes, those credentials are exfiltrated directly to an attacker‑controlled AWS S3 bucket.
But the attackers don’t stop there. According to Mandiant, an AutoHotKey script downloads silently in the background while the victim watches the fake repair screen spin. That script proceeds to install the group’s custom malware toolkit – a trio of components designed for persistence, stealth, and network expansion.
What SNOW actually does
The malware suite, which researchers have collectively named SNOW, consists of three distinct pieces, each with a specific role.
SNOWBELT – The browser backdoor
First is SNOWBELT, a malicious Chromium browser extension that disguises itself as a legitimate enterprise tool called either “MS Heartbeat” or “System Heartbeat.” Once installed, it acts as the primary backdoor, monitoring all browser activity, intercepting keystrokes, and maintaining a persistent connection to the attacker’s command server. Because it lives inside the browser, it rarely triggers traditional antivirus scans.
SNOWGLAZE – The traffic tunneler
The second component, SNOWGLAZE, is a Python‑based tunneler. Its job is to push malicious traffic through the victim’s machine to the group’s C2 (command‑and‑control) server, but it does so using WebSocket connections. To avoid detection, SNOWGLAZE wraps every piece of stolen data in Base64‑encoded JSON, making it look like standard encrypted web traffic – think routine API calls or cloud sync activity.
SNOWBASIN – The persistent remote access
Beneath everything sits SNOWBASIN, a persistent backdoor that gives the attacker remote command execution, screenshot capture, and on‑demand file access. Even if the browser extension is removed or the Python tunneler is killed, SNOWBASIN remains dormant on the system, waiting for a reactivation signal.
“Together, the three components give UNC6692 a quiet, durable foothold that blends into routine browser and network activity,” Mandiant’s report explains. “It’s not noisy ransomware. It’s a slow, methodical compromise designed to steal credentials and explore the network for weeks or months.”
Where it goes from there
Once the initial foothold is established, UNC6692 shifts into lateral movement mode. The group scans the local network for open ports – especially SMB, RDP, and LDAP – and quickly pivots toward domain controllers.
According to Mandiant’s technical write‑up, the attackers use Pass‑the‑Hash techniques with stolen NTLM password hashes extracted from the victim’s memory. In one observed case, the group located a backup server, extracted LSASS process memory, and exfiltrated the memory dump using an unlikely tool: LimeWire – the legacy peer‑to‑peer file‑sharing protocol. By disguising the exfiltration as a harmless file transfer, they avoided raising alarms on corporate firewalls.
Once the attackers gain access to a domain controller, the real damage begins. Using FTK Imager – a legitimate forensic imaging tool – they pull the entire Active Directory database file (NTDS.dit), along with the Security Account Manager (SAM) and SYSTEM registry hives. All of this sensitive data is again exfiltrated via LimeWire before the group takes screen captures of the domain controller’s administrative panels – likely for later validation that the compromise is complete.
What enterprises should do right now
The report from Google Cloud’s threat intelligence blog emphasizes that Microsoft Teams does display a warning when messages arrive from outside the organization. However, many employees have grown numb to these banners, especially when they’re already dealing with an inbox crisis.
The researchers offer three concrete recommendations:
- Restrict external Teams chat requests to approved domains only, or disable them entirely unless explicitly needed.
- Implement a verification protocol – any unsolicited IT support request should be verified through a known internal channel (Slack, email from a trusted address, or a phone call to the official helpdesk number).
- Monitor for AutoHotKey script executions and unauthorized use of tools like LimeWire, FTK Imager, or any process attempting to dump LSASS memory.
UNC6692 is a reminder that the simplest human emotions – frustration, urgency, and the desire to fix a broken inbox – remain the most effective attack vectors. As more enterprises embrace Microsoft Teams as a central collaboration hub, attackers are already listening in on the conversation.
For ongoing updates on this campaign and other Microsoft Teams‑based threats, follow the full analysis at Cybersecurity News and the Google Cloud Threat Intelligence blog.