UNC6692 Threat Group Exploits Microsoft Teams in Sophisticated Cloud-Based Intrusion Campaign
A newly uncovered threat group, UNC6692, has been executing a multistage intrusion campaign targeting enterprise networks without exploiting a single software vulnerability. Instead, the attackers leverage Microsoft Teams impersonation, custom malware, and cloud infrastructure abuse to gain deep access, as revealed by Google Threat Intelligence Group (GTIG) and Mandiant in an April 22, 2026 disclosure.
Attack Timeline & Tactics
In late December 2025, UNC6692 launched a mass email bombing campaign to overwhelm victims, creating urgency and distraction. Exploiting this chaos, the group sent phishing messages via Microsoft Teams, posing as IT helpdesk staff offering assistance. The attack abused legitimate external collaboration features in Teams, bypassing technical exploits by convincing users to override security warnings.
Infection Chain: From Teams Chat to Full Compromise
- Initial Contact – Victims accepted a Teams chat from an external account, believing it to be IT support.
- Phishing Link – The attacker directed victims to a fake "Mailbox Repair and Sync Utility" hosted on an AWS S3 bucket, masquerading as a legitimate tool.
- Multi-Phase Exploitation:
- Environment Gating – A script forced victims onto Microsoft Edge for optimal exploitation.
- Credential Harvesting – A fake "Health Check" prompted users to re-enter passwords, ensuring accurate capture before exfiltration.
- Distraction Sequence – A fake progress bar masked real-time data theft.
- Malware Staging – An AutoHotkey binary and script installed SNOWBELT, a malicious Chromium extension disguised as "MS Heartbeat".
The SNOW Malware Ecosystem
UNC6692’s modular malware suite consists of three components:
- SNOWBELT (JavaScript extension) – Establishes persistence, intercepts commands, and uses DGA-based S3 URLs for C2.
- SNOWGLAZE (Python WebSocket tunneler) – Routes traffic via a SOCKS proxy to a Heroku C2 server, blending malicious traffic with legitimate encrypted web traffic.
- SNOWBASIN (Python HTTP server) – Executes shell commands, captures screenshots, and exfiltrates files.
Persistence was maintained via Windows Startup shortcuts, scheduled tasks, and a headless Edge process loading the extension.
Post-Exploitation & Data Theft
After gaining access, UNC6692:
- Scanned networks for open ports (135, 445, 3389).
- Used PsExec to move laterally, dumping LSASS memory via Task Manager to extract password hashes.
- Employed Pass-the-Hash to authenticate to domain controllers without plaintext passwords.
- Extracted Active Directory databases (NTDS.dit), SAM, SYSTEM, and SECURITY hives using FTK Imager, exfiltrating them via LimeWire.
Cloud Abuse & Evasion Tactics
A defining feature of this campaign is its "living off the cloud" strategy, using AWS S3, Heroku, and other trusted platforms for:
- Payload delivery
- Credential exfiltration
- Command-and-control (C2) infrastructure
This approach blends malicious traffic with legitimate cloud traffic, evading domain reputation filters and IP-based blocklists.
Indicators of Compromise (IOCs)
- Phishing URL Pattern:
https://service-page-[ID]-outlook.s3.us-west-2.amazonaws.com/update.html?email= - C2 Server:
wss://sad4w7h913-b4a57f9c36eb[.]herokuapp[.]com:443/ws - SNOWBELT C2 URL Pattern:
https://[a-f0-9]{24}-[0-9]{6,7}-[0-9]{1}.s3.us-east-2.amazonaws[.]com - Masquerading Files:
RegSrvc.exe(AutoHotKey),Protected.ahk,SysEvents(SNOWBELT extension directory).
The campaign underscores how employee trust in enterprise tools rather than technical vulnerabilities can be the weakest link in cybersecurity. Organizations are advised to monitor Teams external access, browser extensions, and cloud egress traffic to detect similar threats.
Source: https://cybersecuritynews.com/microsoft-teams-breach-organizations/
Microsoft Threat Intelligence cybersecurity rating report: https://www.rankiteo.com/company/microsoft-threat-intelligence
"id": "MIC1777004961",
"linkid": "microsoft-threat-intelligence",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'type': 'Enterprise'}],
'attack_vector': 'Microsoft Teams phishing, Social Engineering, Cloud '
'Infrastructure Abuse',
'data_breach': {'data_exfiltration': 'Yes',
'file_types_exposed': 'NTDS.dit, SAM, SYSTEM, SECURITY hives',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': 'Active Directory databases, '
'Password hashes, Personally '
'Identifiable Information (PII)'},
'date_detected': '2025-12',
'date_publicly_disclosed': '2026-04-22',
'description': 'A newly uncovered threat group, UNC6692, has been executing a '
'multistage intrusion campaign targeting enterprise networks '
'without exploiting a single software vulnerability. Instead, '
'the attackers leverage Microsoft Teams impersonation, custom '
'malware, and cloud infrastructure abuse to gain deep access.',
'impact': {'data_compromised': 'Active Directory databases (NTDS.dit), SAM, '
'SYSTEM, SECURITY hives, Password hashes, '
'Personally Identifiable Information (PII)',
'identity_theft_risk': 'High',
'operational_impact': 'Network scanning, Lateral movement, Data '
'exfiltration',
'systems_affected': 'Enterprise networks, Domain controllers, User '
'workstations'},
'initial_access_broker': {'backdoors_established': 'SNOWBELT malware, '
'AutoHotkey binary',
'entry_point': 'Microsoft Teams phishing',
'high_value_targets': 'Domain controllers, Active '
'Directory databases'},
'lessons_learned': 'Employee trust in enterprise tools can be the weakest '
'link in cybersecurity. Organizations should monitor Teams '
'external access, browser extensions, and cloud egress '
'traffic.',
'post_incident_analysis': {'corrective_actions': 'Enhance monitoring of Teams '
'external access, browser '
'extensions, and cloud '
'egress traffic; implement '
'stricter controls on '
'external collaboration '
'features in Teams.',
'root_causes': 'Social engineering via Microsoft '
'Teams, abuse of legitimate cloud '
'services (AWS S3, Heroku), lack of '
'monitoring for external Teams '
'access and browser extensions'},
'recommendations': 'Monitor Teams external access, browser extensions, and '
'cloud egress traffic to detect similar threats.',
'references': [{'date_accessed': '2026-04-22',
'source': 'Google Threat Intelligence Group (GTIG) and '
'Mandiant'}],
'response': {'enhanced_monitoring': 'Monitor Teams external access, browser '
'extensions, and cloud egress traffic',
'third_party_assistance': 'Google Threat Intelligence Group '
'(GTIG), Mandiant'},
'threat_actor': 'UNC6692',
'title': 'UNC6692 Threat Group Exploits Microsoft Teams in Sophisticated '
'Cloud-Based Intrusion Campaign',
'type': 'Phishing, Malware, Credential Theft, Lateral Movement, Data '
'Exfiltration'}