Microsoft Teams Phishing Attacks Impersonate IT Helpdesk Staff
Key Takeaways A new threat actor, UNC6692, is conducting a sophisticated multi-stage intrusion campaign. The campaign leverages Microsoft Teams to impersonate IT helpdesk staff, tricking users into...
Key Takeaways
- A new threat actor, UNC6692, is conducting a sophisticated multi-stage intrusion campaign.
- The campaign leverages Microsoft Teams to impersonate IT helpdesk staff, tricking users into installing custom malware.
- UNC6692’s method relies on social engineering and abuse of legitimate cloud services, not software vulnerabilities.
- The attack chain leads to full domain compromise, including the exfiltration of Active Directory databases.
Sophisticated Campaign Exploits Trust, Not Vulnerabilities, for Full Domain Compromise
A newly identified threat group, designated UNC6692, is executing a highly sophisticated, multi-stage intrusion campaign aimed at achieving deep penetration into enterprise networks. This operation distinguishes itself by weaponizing Microsoft Teams impersonation, deploying a custom modular malware suite, and extensively abusing legitimate cloud infrastructure. Notably, the group achieves its objectives without exploiting a single software vulnerability.
Table Of Content
Researchers from the Google Threat Intelligence Group (GTIG) and Mandiant publicly disclosed details of the campaign on April 22, 2026. Their findings illuminate how UNC6692 systematically manipulates employee trust in common enterprise tools to ultimately gain full domain-level access within targeted organizations.
Initial Engagement: Email Bombing and Teams Phishing
The campaign commenced in late December 2025 with UNC6692 launching a mass email bombing assault against its targets. This deliberate flooding of inboxes was designed to create confusion and a sense of urgency among recipients.
As victims grappled with the overwhelming influx of emails, the threat actor delivered a crucial follow-up: a phishing message sent directly via Microsoft Teams. In this message, the attacker convincingly posed as an IT helpdesk employee, offering assistance with the email volume and appearing to resolve the very problem they initiated.
Microsoft, in its own advisory issued in April 2026, confirmed that this technique does not involve a zero-day exploit or any software flaw. Instead, the campaign abuses legitimate external collaboration features within Teams, successfully convincing users to bypass multiple, explicit security warnings presented by the platform.
Victims, believing they were communicating with internal IT support, accepted the Teams chat invitation from an account external to their organization—a seemingly innocuous action that proved to have catastrophic security implications.
Infection Chain: From Teams Chat to Full Compromise
Once communication was established, the attacker directed the victim to click a link. This link purportedly led to a “local patch” designed to prevent further email spamming. The destination was a highly convincing phishing landing page, meticulously crafted to mimic a “Mailbox Repair and Sync Utility v2.1.5.” This malicious page was hosted on an attacker-controlled AWS S3 bucket, as Google reported.
The phishing page implemented a multi-phase attack pipeline to maximize its effectiveness:
- Phase 1 – Environment Gating: A gatekeeper script initially verified the URL for a mandatory
?email=parameter. It then forced victims to use Microsoft Edge via themicrosoft-edge:URI scheme, ensuring the subsequent exploits would function optimally. - Phase 2 – Credential Harvesting: A deceptive “Health Check” initiated an authentication prompt. This prompt was engineered to reject the first two password attempts by design, employing a psychological “double-entry” trick. This tactic aimed to ensure typo-free credential capture before exfiltrating them to an S3 bucket.
- Phase 3 – Distraction Sequence: A fake progress bar was displayed, showing messages such as “Parsing configuration data” and “Checking mailbox integrity.” This visual distraction served to mask real-time data exfiltration occurring in the background.
- Phase 4 – Malware Staging: While the progress bar was active, an AutoHotkey binary and script were downloaded from AWS S3. These files were automatically executed upon landing in the same directory, leading to the installation of SNOWBELT, a malicious Chromium browser extension. SNOWBELT masqueraded as legitimate software, often named “MS Heartbeat” or “System Heartbeat.”
The SNOW Malware Ecosystem
UNC6692’s bespoke toolset, collectively known as the SNOW ecosystem, is a sophisticated, coordinated three-component modular framework:
| Component | Type | Role |
|---|---|---|
| SNOWBELT | JavaScript browser extension | Initial foothold; intercepts and relays C2 commands; uses DGA-based S3 URLs for C2 |
| SNOWGLAZE | Python-based WebSocket tunneler | Routes TCP traffic through the victim via a SOCKS proxy to a Heroku C2 server |
| SNOWBASIN | Python local HTTP server (port 8000) | Executes shell commands, captures screenshots, exfiltrates files |
SNOWBELT establishes persistence through several mechanisms, including a Windows Startup folder shortcut, two scheduled tasks, and a headless Microsoft Edge process that silently loads the extension.
SNOWGLAZE plays a critical role in masking malicious traffic. It wraps data in Base64-encoded JSON objects over WebSockets, making the command-and-control (C2) communications appear as standard encrypted web traffic, thereby evading detection.
Following initial access, UNC6692 leverages SNOWBASIN to execute a Python script that scans the local network for open ports 135, 445, and 3389. Utilizing PsExec sessions routed through the SNOWGLAZE tunnel, the attackers enumerate local administrator accounts and initiate an RDP session to a backup server.
On the backup server, the threat actor employed Windows Task Manager to dump the LSASS process memory, capturing password hashes. This memory dump was then exfiltrated using LimeWire.
With the stolen hashes securely off the network, the attackers performed offline credential extraction. They subsequently used a Pass-the-Hash technique to authenticate directly to domain controllers, circumventing the need for plaintext passwords.
Once on the domain controller, the attacker downloaded FTK Imager, mounted the local drive, and extracted the Active Directory database (NTDS.dit), along with the SAM, SYSTEM, and SECURITY registry hives. These “crown jewels” of any Windows enterprise environment were also exfiltrated via LimeWire. EDR telemetry confirmed the attacker’s mission completion by capturing targeted screenshots of active FTK Imager and Edge windows.
A defining characteristic of the UNC6692 campaign is its systematic and pervasive abuse of legitimate cloud services. Every stage of the attack—from payload delivery and credential exfiltration to C2 infrastructure and data staging—relied on trusted platforms such as AWS S3 and Heroku.
This “living off the cloud” strategy allows malicious traffic to blend seamlessly into the high volumes of encrypted, reputably sourced web traffic. This significantly diminishes the effectiveness of traditional domain reputation filters and IP-based blocklists.
To counter such sophisticated attacks, defenders must expand their visibility beyond conventional process monitoring. This includes scrutinizing browser extension activity, unauthorized cloud egress traffic, and the presence of headless browser processes.
Crucially, organizations should restrict or closely monitor Microsoft Teams external access settings to prevent unknown tenants from initiating chat sessions with employees. As the UNC6692 campaign starkly demonstrates, the weakest link in enterprise security is not always a misconfigured server, but often an employee who places trust in a Teams message from someone claiming to be IT.
Indicators of Compromise (IOCs)
- Phishing URL Pattern:
https://service-page-[ID]-outlook.s3.us-west-2.amazonaws.com/update.html?email= - C2 Server:
wss://sad4w7h913-b4a57f9c36eb[.]herokuapp[.]com:443/ws - SNOWBELT C2 URL Pattern:
https://[a-f0-9]{24}-[0-9]{6,7}-[0-9]{1}.s3.us-east-2.amazonaws[.]com - SNOWBELT VAPID Key:
BJkWCT45mL0uvV3AssRaq9Gn7iE2N7Lx38ZmWDFCjwhz0zv0QSVhKuZBLTTgAijB12cgzMzqyiJZr5tokRzSJu0 - Masquerading Files:
RegSrvc.exe(AutoHotKey binary),Protected.ahk,SysEvents(SNOWBELT extension directory).
What You Should Do
- Strengthen User Awareness Training: Educate employees about the dangers of social engineering, especially phishing attempts via internal communication platforms like Microsoft Teams, and impersonation of IT staff.
- Implement Multi-Factor Authentication (MFA): Enforce MFA across all enterprise applications and services, particularly for access to cloud resources and sensitive systems.
- Review External Collaboration Settings: Regularly audit and restrict external access settings in Microsoft Teams and other collaboration tools. Limit who can initiate chats or join channels from outside the organization.
- Monitor Cloud Egress Traffic: Enhance monitoring capabilities to detect unusual or unauthorized data exfiltration to cloud storage services like AWS S3 or Heroku.
- Enhance Endpoint Detection and Response (EDR): Configure EDR solutions to monitor for suspicious browser extension installations, headless browser processes, and uncommon process execution chains (e.g., Task Manager dumping LSASS).
- Segment Network and Enforce Least Privilege: Implement network segmentation to limit lateral movement and ensure users and systems operate with the principle of least privilege.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.