UNC6692 Threat Group Exploits Microsoft Teams in Sophisticated Social Engineering Attack
A newly identified cyber threat group, UNC6692, is targeting enterprises through a multi-stage attack combining social engineering and custom malware, leveraging Microsoft Teams and cloud services to evade detection.
The attack begins with an email bombing campaign, flooding victims with spam to create confusion. While targets are distracted, attackers impersonate IT helpdesk staff via Microsoft Teams, using external accounts to offer a fake "local patch" as a solution. Victims are directed to a spoofed "Mailbox Repair Utility" page, where they are prompted to enter credentials intentionally rejected on the first attempt to ensure password capture before exfiltration to an attacker-controlled AWS server.
Once credentials are stolen, the attack deploys a modular malware toolkit dubbed the SNOW ecosystem, including:
- SNOWBELT: A malicious Chromium extension for persistent access.
- SNOWGLAZE: A Python-based tunneling tool for encrypted communication.
- SNOWBASIN: A remote access tool enabling command execution, screenshots, and data theft.
After gaining a foothold, UNC6692 moves laterally across the network using Python scripts to scan systems, targeting backup servers and dumping LSASS memory to extract password hashes. These hashes are cracked offline and used in Pass-the-Hash attacks to compromise domain controllers. Attackers then exfiltrate the Active Directory database using legitimate forensic tools like FTK Imager, delivered via Microsoft Edge, and transfer data via platforms such as LimeWire.
The campaign exemplifies "living off the cloud" tactics, abusing trusted services like Microsoft Teams and AWS to bypass traditional security measures. Indicators of compromise (IoCs) include:
- Phishing/payload delivery:
service-page-25144-30466-outlook.s3.us-west-2.amazonaws[.]com - SNOWBELT C2:
cloudfront-021.s3.us-west-2.amazonaws[.]com - SNOWGLAZE WebSocket:
wss://sad4w7h913-b4a57f9c36eb.herokuapp[.]com/ws - Data exfiltration:
service-page-11369-28315-outlook.s3.us-west-2.amazonaws[.]com
The attack underscores the risks of external Teams communications and the need for enhanced monitoring of browser-based activity and cloud service abuse.
Source: https://cyberpress.org/hackers-exploit-microsoft-microsoft-teams/
Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-security
"id": "mic1777019139",
"linkid": "microsoft-security",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'type': 'Enterprise'}],
'attack_vector': ['Email Bombing',
'Microsoft Teams Impersonation',
'Phishing (Spoofed Web Page)',
'Malicious Chromium Extension',
'Python-based Tunneling Tool'],
'data_breach': {'data_encryption': 'No (data exfiltrated in plaintext or '
'hashed form)',
'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Likely (credentials, '
'AD data)',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Credentials',
'Password Hashes',
'Active Directory Database',
'System Data']},
'description': 'A newly identified cyber threat group, UNC6692, is targeting '
'enterprises through a multi-stage attack combining social '
'engineering and custom malware, leveraging Microsoft Teams '
'and cloud services to evade detection. The attack begins with '
'an email bombing campaign, flooding victims with spam to '
'create confusion. Attackers impersonate IT helpdesk staff via '
'Microsoft Teams, using external accounts to offer a fake '
"'local patch' as a solution. Victims are directed to a "
"spoofed 'Mailbox Repair Utility' page to enter credentials, "
'which are exfiltrated to an attacker-controlled AWS server. '
'The attack deploys a modular malware toolkit (SNOW ecosystem) '
'for persistent access, lateral movement, and data '
'exfiltration, abusing trusted services like Microsoft Teams '
'and AWS.',
'impact': {'data_compromised': 'Credentials, Active Directory Database, '
'Password Hashes, Screenshots, System Data',
'identity_theft_risk': 'High',
'operational_impact': 'Lateral Movement, Unauthorized Access, Data '
'Exfiltration',
'systems_affected': ['Microsoft Teams',
'Domain Controllers',
'Backup Servers',
'User Workstations']},
'initial_access_broker': {'backdoors_established': 'SNOWBELT (Malicious '
'Chromium Extension), '
'SNOWGLAZE (Tunneling '
'Tool)',
'entry_point': 'Microsoft Teams Impersonation, '
'Phishing',
'high_value_targets': ['Domain Controllers',
'Backup Servers']},
'lessons_learned': 'The attack underscores the risks of external Teams '
'communications and the need for enhanced monitoring of '
'browser-based activity and cloud service abuse.',
'post_incident_analysis': {'corrective_actions': ['Implement MFA for all '
'critical systems',
'Enhance monitoring of '
'cloud service usage',
'Restrict installation of '
'unauthorized browser '
'extensions',
'Segment networks to limit '
'lateral movement',
'Conduct regular security '
'awareness training'],
'root_causes': ['Lack of monitoring for external '
'Teams communications',
'Insufficient controls on browser '
'extensions',
'Abuse of trusted cloud services '
'(AWS, Heroku)',
'Weak lateral movement '
'restrictions']},
'recommendations': ['Enhance monitoring of Microsoft Teams external '
'communications',
'Implement stricter controls on browser extensions',
'Monitor cloud service abuse (e.g., AWS, Heroku)',
'Restrict lateral movement by segmenting networks',
'Enforce multi-factor authentication (MFA) for critical '
'systems',
'Educate employees on social engineering tactics'],
'references': [{'source': 'Cybersecurity Report'}],
'threat_actor': 'UNC6692',
'title': 'UNC6692 Threat Group Exploits Microsoft Teams in Sophisticated '
'Social Engineering Attack',
'type': 'Social Engineering, Malware, Credential Theft, Lateral Movement, '
'Data Exfiltration'}