Hackers Impersonate Microsoft Teams Help Desk in Sophisticated Malware Campaign
A new cyberattack campaign, attributed to the threat group UNC6692, is leveraging social engineering and malicious tools to breach corporate systems by impersonating Microsoft Teams help desk workers. The findings, reported by Mandiant (a Google-owned cybersecurity firm) on April 27, highlight an evolving tactic that exploits trust in enterprise software.
The attack begins with email flooding to overwhelm a target’s inbox, followed by a Microsoft Teams message from an external account posing as IT support. The attacker convinces the victim to install a fake "patch" that instead deploys SnowBelt, a malicious browser extension. This extension grants attackers persistent access to corporate accounts, allowing them to move within systems without repeated authentication.
UNC6692’s methods reflect a broader shift in cybercrime, where attackers increasingly exploit software-as-a-service (SaaS) vulnerabilities rather than traditional network breaches. Recent high-profile incidents including breaches at Mercor (an AI data vendor for OpenAI, Anthropic, and Meta) and a Salesforce-centered extortion wave underscore this trend. These attacks signal a fundamental change in digital risk, where the SaaS layer has become the primary target for cybercriminals.
Salesforce TPRM report: https://www.rankiteo.com/company/salesforce
"id": "sal1777395283",
"linkid": "salesforce",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'OpenAI, Anthropic, Meta',
'industry': 'Technology/AI',
'name': 'Mercor',
'type': 'AI data vendor'}],
'attack_vector': 'Microsoft Teams impersonation, Email flooding, Malicious '
'browser extension (SnowBelt)',
'date_publicly_disclosed': '2024-04-27',
'description': 'A new cyberattack campaign, attributed to the threat group '
'UNC6692, is leveraging social engineering and malicious tools '
'to breach corporate systems by impersonating Microsoft Teams '
'help desk workers. The attack begins with email flooding to '
'overwhelm a target’s inbox, followed by a Microsoft Teams '
'message from an external account posing as IT support. The '
"attacker convinces the victim to install a fake 'patch' that "
'deploys SnowBelt, a malicious browser extension, granting '
'persistent access to corporate accounts.',
'impact': {'operational_impact': 'Persistent unauthorized access to corporate '
'systems',
'systems_affected': 'Corporate accounts, SaaS platforms'},
'initial_access_broker': {'backdoors_established': 'Malicious browser '
'extension (SnowBelt)',
'entry_point': 'Microsoft Teams impersonation, '
'Email flooding'},
'lessons_learned': 'Attackers are increasingly exploiting SaaS '
'vulnerabilities and trust in enterprise software for '
'initial access and persistence.',
'post_incident_analysis': {'root_causes': 'Exploitation of trust in '
'enterprise software, SaaS '
'vulnerabilities'},
'references': [{'source': 'Mandiant (Google-owned cybersecurity firm)'}],
'threat_actor': 'UNC6692',
'title': 'Hackers Impersonate Microsoft Teams Help Desk in Sophisticated '
'Malware Campaign',
'type': 'Phishing/Social Engineering, Malware Deployment',
'vulnerability_exploited': 'Trust in enterprise software (Microsoft Teams), '
'SaaS vulnerabilities'}