A newly identified threat cluster called UNC6692 has used Microsoft Teams impersonation and a spam email flood to break into corporate networks, according to a technical analysis from Mandiant. The activity relied on a custom malware chain, including a malicious browser extension and related tools, and was aimed at follow-on access, credential theft and data exfiltration.
KEY FACTS
- Entry method Victims were first hit with email bombing and then contacted on Microsoft Teams by someone posing as IT support.
- Payload The attack used a phishing page that delivered an AutoHotkey script from an attacker-controlled AWS S3 bucket.
- Malware The chain deployed SNOWBELT, SNOWGLAZE and SNOWBASIN, which supported command execution, tunneling and persistence.
- Follow-on actions Post-intrusion activity included network scanning, PsExec use, RDP access, LSASS memory extraction and data theft.
The phishing page was labeled “Mailbox Repair and Sync Utility v2.1.5” and instructed targets to install a local patch to fix the spam issue. Once opened, it checked the victim’s browser and warned users who were not on Microsoft Edge, while also presenting a fake configuration panel with a “Health Check” button that harvested mailbox credentials.
The report said the attacker used a gatekeeper script to limit delivery to intended targets and reduce exposure in automated sandboxes. The malware then downloaded additional files, including a ZIP archive with a portable Python executable, while SNOWBASIN acted as a persistent backdoor that could run commands, capture screenshots and move files.
ReliaQuest separately said similar help desk impersonation campaigns have increasingly targeted executives and senior employees, with 77% of observed incidents from March 1 to April 1, 2026 aimed at senior-level staff. The company said the approach has been used for initial access that can lead to data theft, lateral movement and ransomware deployment.
Microsoft also warned that attackers are using cross-tenant Teams communications to push victims toward remote support tools such as Quick Assist, then moving to reconnaissance, encrypted command-and-control traffic, fallback remote access and file transfer tools such as Rclone.
WHY IT MATTERS
The activity shows how trusted collaboration tools, cloud services and legitimate remote support software can be combined to bypass common defenses. It also highlights the need for stricter verification of help desk requests, tighter controls on external messaging and stronger monitoring for unusual remote access behavior.