A newly identified threat group UNC6692 is exploiting Microsoft Teams to impersonate IT helpdesk staff and deploying the dangerous SNOW malware ecosystem including SNOWBELT, SNOWGLAZE and SNOWBASIN to silently breach enterprise networks and steal Active Directory credentials without triggering a single software vulnerability.
Trust Became the Most Powerful Weapon
Microsoft Teams is one of the most widely used enterprise communication platforms in the world today. Millions of employees work on it daily and trust it completely. But now hackers have turned this trust into their biggest weapon.
A new threat group named UNC6692 used Microsoft Teams impersonation a custom modular malware suite and misuse of cloud infrastructure to infiltrate enterprise networks deep inside and all without exploiting a single software vulnerability.This campaign was publicly disclosed by researchers from Google Threat Intelligence Group and Mandiant on April 22, 2026 and is one of the most dangerous social engineering attacks of the year.
How the Attack Begins
This attack does not start with a suspicious link or malware attachment. It starts with a flurry of messages. In late December 2025 UNC6692 launched a massive email campaign aimed at flooding the targets inbox with messages to create an atmosphere of urgency and confusion. The attacker then sent messages on Microsoft Teams posing as helpdesk staff and claiming to be an email problem solver.
This method of becoming a helpdesk on Teams after email flooding was also previously used by affiliates of the Black Basta ransomware group. This group has since been shut down, but their attack playbook is still fully active.
Executives Are the Primary Targets
This isn’t a random campaign; UNC6692 deliberately targeted the organization’s most important people. Senior-level employees were targeted in 77% of incidents observed between March 1 and April 1, 2026, a significant increase from 59% in February 2026, according to data compiled by ReliaQuest researchers John Dilgen and Alexa Feminella.
Senior employees have greater access privileges, so compromising their accounts is more profitable for attackers.
The Phishing Page and SNOW Malware Deployment
Once the victim accepts the Teams chat invitation from the attacker’s external account, they are directed to click a link installing a supposed local patch. The phishing page is named Mailbox Repair and Sync Utility v2.1.5 and is hosted on an attacker-controlled AWS S3 bucket. It downloads an AutoHotkey script that installs SNOWBELT and a malicious Chromium-based browser extension deployed onto Microsoft Edge in headless mode.
The SNOW malware ecosystem operates as a coordinated three-part framework. SNOWBELT serves as the initial foothold and intercepts C2 commands. SNOWGLAZE is a Python-based WebSocket tunneler that routes traffic through the victim to a Heroku C2 server, wrapping malicious data in Base64-encoded JSON to appear as normal web traffic. SNOWBASIN acts as a local HTTP server that executes shell commands, captures screenshots and the exfiltrates files.
Cloud Evasion to Full Domain Takeover
UNC6692 is difficult to detect because it uses legitimate cloud platforms. The campaign relies entirely on trusted platforms like AWS S3 and Heroku for payload delivery, credential exfiltration and the command-and-control.
This allows malicious traffic to be mixed in with normal encrypted web traffic, rendering domain reputation filters and IP blocklists practically useless.This is the most dangerous aspect of this campaign no traditional defense can stop it because the traffic appears to be coming from completely reputable sources.
The final and most dangerous part of the attack was to take down Active Directory. After gaining access to the backup server and the threat actor dumped the LSASS process memory from Windows Task Manager which contained password hashes. Then using the Pass-the-Hash technique and they authenticated directly to the domain controllers without plaintext passwords.
Using FTK Imager on the domain controller the Active Directory database NTDS.dit SAM, SYSTEM and SECURITY registry hives and the crown jewels of the entire Windows enterprise environment were extracted and exfiltrated via LimeWire.
What Organizations Must Do Right Now
Threat actors are exploiting Microsoft Teams external collaboration features to pose as helpdesk staff and persuade employees to grant remote access, then lateral movement away from legitimate tools.Organizations should immediately restrict Microsoft Teams external access settings to prevent unknown tenants from initiating chats with employees.
Security teams should not rely solely on process monitoring and they must also monitor browser extension activity which unauthorized cloud egress, and headless browser processes running in the background. It is crucial that senior employees are trained to verify any IT helpdesk contact through an official internal channel and no matter how urgent the situation may seem.
