New Threat Cluster UNC6692 Exploits Microsoft Teams to Breach Corporate Networks
Mandiant and Google Threat Intelligence Group uncovered a previously unknown threat cluster, UNC6692, which has been active since late December 2025, impersonating IT help desk workers via Microsoft Teams to infiltrate corporate networks. The campaign, dubbed Snow Flurries, was detailed in a report published on April 24, 2026, revealing a sophisticated attack chain leveraging social engineering and custom malware.
Attack Methodology
UNC6692 initiates attacks with email bombing to overwhelm targets, followed by Microsoft Teams messages from external accounts posing as IT support. Victims are tricked into installing a fake "Mailbox Repair and Sync Utility" hosted on AWS S3, which harvests credentials through a deceptive double-entry password prompt. Stolen credentials are exfiltrated via asynchronous PUT requests to attacker-controlled Amazon S3 buckets.
The SNOW Malware Suite
The threat group deploys a three-part malware ecosystem:
- SNOWBELT: A JavaScript-based Chromium extension (disguised as "MS Heartbeat") that communicates with command-and-control (C2) servers via AES-GCM-encrypted AWS S3 traffic in 30-minute intervals.
- SNOWGLAZE: A Python-based WebSocket tunneler that establishes a secure, authenticated proxy between the victim’s network and the attacker’s C2, masquerading as Microsoft Edge traffic.
- SNOWBASIN: A persistent backdoor enabling remote command execution, file exfiltration, and screenshot capture.
Post-compromise, UNC6692 conducts internal reconnaissance, extracts LSASS memory via Windows Task Manager, and uses pass-the-hash techniques to compromise domain controllers. Attackers deploy FTK Imager to extract Active Directory databases (NTDS.dit) and registry hives, exfiltrating data via LimeWire.
Targeting & Automation
ReliaQuest data indicates 77% of incidents from March 1 to April 1, 2026, targeted senior-level employees, up from 59% in early 2026. The group automates social engineering, initiating Teams chats 29 seconds apart, mirroring patterns seen in recent voice phishing campaigns. Tactics align with former Black Basta affiliates, leveraging legitimate cloud services (AWS S3, Heroku) to evade detection.
Exploitation of Microsoft Teams Defaults
Microsoft Teams’ default setting allowing external messaging from any domain creates a critical attack surface. While administrators can restrict external access via the Teams admin center or PowerShell, many organizations remain vulnerable due to lack of policy enforcement.
Broader Implications
The campaign underscores the growing threat to collaboration platforms, with senior employees who often possess elevated network privileges bearing the highest risk. UK organizations breached via this vector face 72-hour GDPR notification requirements, while small businesses without dedicated Teams administrators are particularly exposed.
Mandiant has released YARA detection rules for SNOW malware components, and security teams are advised to audit Teams external access policies and implement secondary verification for help desk requests.
Source: https://sqmagazine.co.uk/mandiant-unc6692-microsoft-teams-snow-malware-2/
LimeWire cybersecurity rating report: https://www.rankiteo.com/company/limewire
Amazon Web Services (AWS) cybersecurity rating report: https://www.rankiteo.com/company/amazon-web-services
"id": "LIMAMA1777312775",
"linkid": "limewire, amazon-web-services",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'location': ['UK', 'Global'],
'size': ['Small', 'Medium', 'Large'],
'type': ['Corporations', 'Small Businesses']}],
'attack_vector': ['Microsoft Teams (Social Engineering)',
'Email Bombing',
'Fake Software Installation (AWS S3)'],
'data_breach': {'data_encryption': 'AES-GCM (for C2 communication)',
'data_exfiltration': True,
'file_types_exposed': ['NTDS.dit', 'Registry Hives'],
'personally_identifiable_information': True,
'sensitivity_of_data': 'High (Personally Identifiable '
'Information, Corporate Secrets)',
'type_of_data_compromised': ['Credentials',
'Active Directory Data',
'Registry Hives',
'LSASS Memory']},
'date_detected': '2025-12-01',
'date_publicly_disclosed': '2026-04-24',
'description': 'Mandiant and Google Threat Intelligence Group uncovered a '
'previously unknown threat cluster, UNC6692, which has been '
'active since late December 2025, impersonating IT help desk '
'workers via Microsoft Teams to infiltrate corporate networks. '
'The campaign, dubbed Snow Flurries, leverages social '
'engineering and custom malware to harvest credentials and '
'exfiltrate data.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'GDPR violations and data breaches',
'data_compromised': ['Credentials',
'Active Directory Databases (NTDS.dit)',
'Registry Hives',
'LSASS Memory'],
'identity_theft_risk': 'High (stolen credentials and PII)',
'legal_liabilities': ['GDPR violations (72-hour notification '
'requirement)'],
'operational_impact': 'Internal reconnaissance, lateral movement, '
'and data exfiltration',
'systems_affected': ['Corporate Networks',
'Domain Controllers',
'User Workstations']},
'initial_access_broker': {'backdoors_established': ['SNOWBASIN (Persistent '
'Backdoor)'],
'entry_point': ['Microsoft Teams (Social '
'Engineering)',
'Email Bombing'],
'high_value_targets': ['Senior-Level Employees (77% '
'of incidents)']},
'investigation_status': 'Ongoing',
'lessons_learned': 'The incident highlights the risks of default Microsoft '
'Teams settings allowing external messaging, the targeting '
'of senior employees with elevated privileges, and the use '
'of legitimate cloud services (AWS S3, Heroku) for '
'malicious activities.',
'motivation': ['Cyber Espionage', 'Data Theft', 'Financial Gain'],
'post_incident_analysis': {'corrective_actions': ['Restrict Teams external '
'access',
'Implement secondary '
'verification',
'Deploy YARA rules for SNOW '
'malware',
'Monitor for unusual AWS S3 '
'and WebSocket traffic'],
'root_causes': ['Microsoft Teams default external '
'messaging settings',
'Lack of secondary verification '
'for IT help desk requests',
'Use of legitimate cloud services '
'(AWS S3) for malware hosting and '
'C2']},
'ransomware': {'data_exfiltration': True},
'recommendations': ['Restrict Microsoft Teams external access via admin '
'policies or PowerShell',
'Implement secondary verification for IT help desk '
'requests',
'Deploy YARA rules for SNOW malware detection',
'Monitor for unusual AWS S3 traffic and WebSocket '
'tunneling',
'Conduct regular audits of collaboration platform '
'security settings'],
'references': [{'date_accessed': '2026-04-24',
'source': 'Mandiant Report on UNC6692'},
{'date_accessed': '2026-04-01',
'source': 'ReliaQuest Data on Targeting Trends'}],
'regulatory_compliance': {'regulations_violated': ['GDPR'],
'regulatory_notifications': ['72-hour breach '
'notification '
'requirement']},
'response': {'enhanced_monitoring': ['YARA detection rules for SNOW malware'],
'remediation_measures': ['Audit Microsoft Teams external access '
'policies',
'Implement secondary verification for '
'help desk requests'],
'third_party_assistance': ['Mandiant',
'Google Threat Intelligence Group']},
'stakeholder_advisories': 'Security teams advised to audit Teams policies and '
'implement secondary verification for help desk '
'requests.',
'threat_actor': 'UNC6692',
'title': 'New Threat Cluster UNC6692 Exploits Microsoft Teams to Breach '
'Corporate Networks',
'type': ['Phishing', 'Malware', 'Credential Theft', 'Data Exfiltration'],
'vulnerability_exploited': 'Microsoft Teams default external messaging '
'settings'}