CyberSecurity News

Hackers Breach Orgs via Microsoft Teams as IT Helpdesk

A newly identified threat group, UNC6692, is executing a sophisticated multistage intrusion campaign designed to deeply penetrate enterprise networks. This operation leverages Microsoft Teams...

David kimber
David kimber
April 24, 2026 4 Min Read
11 0

A newly identified threat group, UNC6692, is executing a sophisticated multistage intrusion campaign designed to deeply penetrate enterprise networks. This operation leverages Microsoft Teams impersonation, a custom modular malware suite, and cloud infrastructure abuse. Crucially, the group achieves its objectives without exploiting a single software vulnerability.

Table Of Content

Google Threat Intelligence Group (GTIG) and Mandiant researchers disclosed the campaign on April 22, 2026, revealing how UNC6692 systematically manipulates employee trust in everyday enterprise tools to gain full domain-level access.

In late December 2025, UNC6692 launched a mass email bombing campaign against its targets, deliberately flooding inboxes to create a sense of urgency and confusion.

With victims overwhelmed and distracted, the threat actor delivered the critical blow by sending a phishing message directly over Microsoft Teams, with the attacker posing as an IT helpdesk employee offering assistance with the email volume.

This technique is not a zero-day exploit or a software flaw. As Microsoft noted in its own April 2026 advisory, the campaign abuses legitimate external collaboration features in Teams, with attackers convincing users to override multiple, clearly presented security warnings.

Victims accepted the Teams chat invitation from an account outside their organization, a seemingly minor action with catastrophic consequences.

Infection Chain: From Teams Chat to Full Compromise

Once in contact, the attacker directed the victim to click a link to install a “local patch” that purportedly prevents email spamming. The link led to a convincing phishing landing page masquerading as a “Mailbox Repair and Sync Utility v2.1.5”, hosted on an attacker-controlled AWS S3 bucket, Google said.

The page enforced a multi-phase attack pipeline:

  • Phase 1 – Environment Gating: A gatekeeper script checked the URL for a mandatory ?email= parameter and forced victims onto Microsoft Edge via the microsoft-edge: URI scheme, ensuring exploits would be most effective.
  • Phase 2 – Credential Harvesting: A fake “Health Check” triggered an authentication prompt that rejected the first two password attempts by design — a psychological “double-entry” trick to ensure typo-free credential capture before exfiltrating them to an S3 bucket.
  • Phase 3 – Distraction Sequence: A fake progress bar displayed messages like “Parsing configuration data” and “Checking mailbox integrity” to mask real-time data exfiltration in the background.
  • Phase 4 – Malware Staging: While the progress bar ran, an AutoHotkey binary and script were downloaded from AWS S3 and automatically executed upon landing in the same directory — installing SNOWBELT, a malicious Chromium browser extension masquerading as “MS Heartbeat” or “System Heartbeat”.

The SNOW Malware Ecosystem

UNC6692’s toolset, dubbed the SNOW ecosystem, is a coordinated three-component modular framework:

Component Type Role
SNOWBELT JavaScript browser extension Initial foothold; intercepts and relays C2 commands; uses DGA-based S3 URLs for C2
SNOWGLAZE Python-based WebSocket tunneler Routes TCP traffic through the victim via a SOCKS proxy to a Heroku C2 server
SNOWBASIN Python local HTTP server (port 8000) Executes shell commands, captures screenshots, exfiltrates files

SNOWBELT maintained persistence through a Windows Startup folder shortcut, two scheduled tasks, and a headless Microsoft Edge process silently loading the extension.

SNOWGLAZE masked malicious traffic by wrapping data in Base64-encoded JSON objects over WebSockets, making it appear as standard encrypted web traffic.

After establishing initial access, UNC6692 executed a Python script via SNOWBASIN to scan the local network for open ports 135, 445, and 3389. Using PsExec sessions routed through the SNOWGLAZE tunnel, the attackers enumerated local administrator accounts and initiated an RDP session to a backup server.

On the backup server, the threat actor used Windows Task Manager to dump the LSASS process memory, capturing password hashes, and exfiltrated the dump via LimeWire.

With hashes in hand and safely off the network, the attacker performed offline credential extraction, then used Pass-the-Hash to authenticate directly to domain controllers without ever needing plaintext passwords.

On the domain controller, the attacker downloaded FTK Imager, mounted the local drive, and extracted the Active Directory database (NTDS.dit), SAM, SYSTEM, and SECURITY registry hives, the crown jewels of any Windows enterprise environment.

These were also exfiltrated via LimeWire. EDR telemetry captured the attacker taking targeted screenshots of active FTK Imager and Edge windows, confirming mission completion.

A defining characteristic of the UNC6692 campaign is its systematic abuse of legitimate cloud services for every stage of the attack payload delivery, credential exfiltration, C2 infrastructure, and data staging, all of which relied on trusted platforms like AWS S3 and Heroku.

This “living off the cloud” strategy allows malicious traffic to blend into high volumes of encrypted, reputably sourced web traffic, rendering domain reputation filters and IP-based blocklists largely ineffective.

Defenders must expand visibility beyond traditional process monitoring to include browser extension activity, unauthorized cloud egress traffic, and headless browser processes.

Critically, organizations should restrict or closely monitor Microsoft Teams external access settings to prevent unknown tenants from initiating chat sessions with employees.

As UNC6692 demonstrates, the weakest link in enterprise security is not always a misconfigured server it is an employee who trusts a Teams message from someone claiming to be IT.

Indicators of Compromise (IOCs)

  • Phishing URL Pattern: https://service-page-[ID]-outlook.s3.us-west-2.amazonaws.com/update.html?email=
  • C2 Server: wss://sad4w7h913-b4a57f9c36eb[.]herokuapp[.]com:443/ws
  • SNOWBELT C2 URL Pattern: https://[a-f0-9]{24}-[0-9]{6,7}-[0-9]{1}.s3.us-east-2.amazonaws[.]com
  • SNOWBELT VAPID Key: BJkWCT45mL0uvV3AssRaq9Gn7iE2N7Lx38ZmWDFCjwhz0zv0QSVhKuZBLTTgAijB12cgzMzqyiJZr5tokRzSJu0
  • Masquerading Files: RegSrvc.exe (AutoHotKey binary), Protected.ahk, SysEvents (SNOWBELT extension directory).

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

BreachExploitHackerMalwarePatchphishingSecurityThreatVulnerabilityzero-day

Share Article

David kimber

David kimber

David is a penetration tester turned security journalist with expertise in mobile security, IoT vulnerabilities, and exploit development. As an OSCP-certified security professional, David brings hands-on technical experience to his reporting on vulnerabilities and security research. His articles often feature detailed technical analysis of exploits and provide actionable defense recommendations. David maintains an active presence in the security research community and has contributed to multiple open-source security tools.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts