Microsoft Teams Exploited by Threat Group UNC6692 in Sophisticated Malware Attack
A newly discovered threat cluster, known as UNC6692, is utilizing social engineering techniques via Microsoft Teams to launch an intricate cyberattack that deploys a bespoke malware suite on compromised systems. This alarming revelation comes from a report released today by Mandiant, a cybersecurity firm owned by Google.
The report highlights that UNC6692 has adopted a familiar tactic reminiscent of previous intrusions: impersonating IT helpdesk personnel. The attackers convince victims to accept chat invitations from accounts they believe to be legitimate, but that actually originate from outside their organization. This method has become increasingly common in recent years, raising concerns over the increasing sophistication and adaptiveness of cybercrime.
The operation by UNC6692 is largely propelled by a massive email campaign intended to inundate targets with a deluge of spam messages, thereby creating a contrived sense of urgency. Following the email blitz, the threat actors proceed to reach out via Microsoft Teams, posing as IT support staff offering assistance with the alleged email problem. This dual-layered approach significantly enhances their chances of success.
Interestingly, this tactic of overwhelming victims’ inboxes, followed by impersonation via communication platforms, has also been employed by former affiliates of the notorious Black Basta group. Despite the dissolution of their ransomware operations early last year, the effectiveness of their strategies remains apparent, as other threat actors continue to utilize these methods without signs of slowing down.
According to a report by ReliaQuest published just last week, this approach is increasingly being used to target high-ranking executives and senior employees within companies. Such targeting is particularly concerning, as these individuals often have greater access to sensitive corporate data, making them prime targets for potential data theft, lateral movement within networks, ransomware deployment, and even extortion.
The statistics included in the ReliaQuest report offer a stark picture: from March 1 to April 1, 2026, a striking 77% of observed incidents specifically targeted senior-level personnel. This figure marks a notable increase from the 59% observed in the preceding two months, suggesting that the effectiveness of these social engineering attacks is prompting a shift in focus toward higher-value targets.
In a deviation from common strategies, UNC6692 instructs victims to click on a phishing link shared in the Teams chat, leading them to install a local patch to rectify the spam issue. This deceptive action initiates the download of an AutoHotkey script hosted on an Amazon Web Services (AWS) S3 bucket controlled by the attackers. Labeled as "Mailbox Repair and Sync Utility v2.1.5," this phishing page is designed to mislead users and initiate a series of malicious actions.
The script perpetrated by UNC6692 performs essential reconnaissance tasks before installing a malicious browser extension known as SNOWBELT on the Edge browser. This is accomplished by launching the browser in “headless mode” and utilizing a command line switch designed for this very purpose.
Moreover, the attackers employ a sophisticated gatekeeper script to ensure that their payloads are delivered exclusively to intended targets. This strategy helps them evade traditional security measures and automated systems, which typically monitor for malicious activity.
The phishing page not only serves to execute the malicious script but also masquerades as a Configuration Management Panel, featuring a conspicuous “Health Check” button. When users click this button, they are prompted to submit their mailbox credentials under the pretense of needing authentication; however, this data is swiftly exfiltrated to another AWS S3 bucket controlled by the attackers.
The malware suite deployed by UNC6692 is modular in design, consisting of several components that collectively enhance the attackers’ capabilities. SNOWBELT serves as a JavaScript-based backdoor, while SNOWGLAZE operates as a tunneling utility, establishing a secure WebSocket tunnel between the compromised internal network and the attackers’ command-and-control server. Meanwhile, SNOWBASIN acts as a persistent backdoor, enabling remote command execution along with various other functionalities.
In the wake of gaining initial access, UNC6692 executes various post-exploitation actions, including scanning the local network for vital ports and establishing lateral movements within the compromised infrastructure. This is facilitated through established communication channels, highlighting the growing dangers associated with such tactics.
Overall, the UNC6692 campaign underscores a concerning evolution in cyberattack strategies, particularly through the cunning use of social engineering alongside tailored malware and malicious browser extensions. By exploiting legitimate cloud services for both payload delivery and data exfiltration, the attackers can often elude established security protocols, blending in with legitimate internet traffic.
As part of ongoing threats, Cato Networks also outlined a separate campaign that similarly employs employee impersonation through Microsoft Teams to propagate a WebSocket-based trojan known as PhantomBackdoor. This suggests that such tactics have become increasingly pervasive.
In light of these developments, cybersecurity experts urge businesses to treat collaboration tools as critical surfaces for potential attacks. Implementing stringent verification processes for helpdesk requests, tightening controls on external communications and screen sharing via Teams, and hardening PowerShell against abuse are crucial steps that organizations must take to safeguard their digital environments against these evolving threats.