Hackers Leverage Microsoft Teams to Breach Organizations Posing as IT Helpdesk Staff

A newly identified threat group, UNC6692, has been caught running a sophisticated multistage intrusion campaign that uses Microsoft Teams impersonation, a custom modular malware suite, and cloud infrastructure abuse to deeply penetrate enterprise networks, all without exploiting a single software vulnerability.

Google Threat Intelligence Group (GTIG) and Mandiant researchers disclosed the campaign on April 22, 2026, revealing how UNC6692 systematically manipulates employee trust in everyday enterprise tools to gain full domain-level access.

In late December 2025, UNC6692 launched a mass email bombing campaign against its targets, deliberately flooding inboxes to create a sense of urgency and confusion.

With victims overwhelmed and distracted, the threat actor delivered the critical blow by sending a phishing message directly over Microsoft Teams, with the attacker posing as an IT helpdesk employee offering assistance with the email volume.

This technique is not a zero-day exploit or a software flaw. As Microsoft noted in its own April 2026 advisory, the campaign abuses legitimate external collaboration features in Teams, with attackers convincing users to override multiple, clearly presented security warnings.

Victims accepted the Teams chat invitation from an account outside their organization, a seemingly minor action with catastrophic consequences.

Infection Chain: From Teams Chat to Full Compromise

Once in contact, the attacker directed the victim to click a link to install a “local patch” that purportedly prevents email spamming. The link led to a convincing phishing landing page masquerading as a “Mailbox Repair and Sync Utility v2.1.5”, hosted on an attacker-controlled AWS S3 bucket, Google said.

The page enforced a multi-phase attack pipeline:

• Phase 1 – Environment Gating: A gatekeeper script checked the URL for a mandatory ?email= parameter and forced victims onto Microsoft Edge via the microsoft-edge: URI scheme, ensuring exploits would be most effective.
• Phase 2 – Credential Harvesting: A fake “Health Check” triggered an authentication prompt that rejected the first two password attempts by design — a psychological “double-entry” trick to ensure typo-free credential capture before exfiltrating them to an S3 bucket.
• Phase 3 – Distraction Sequence: A fake progress bar displayed messages like “Parsing configuration data” and “Checking mailbox integrity” to mask real-time data exfiltration in the background.
• Phase 4 – Malware Staging: While the progress bar ran, an AutoHotkey binary and script were downloaded from AWS S3 and automatically executed upon landing in the same directory — installing SNOWBELT, a malicious Chromium browser extension masquerading as “MS Heartbeat” or “System Heartbeat”.

The SNOW Malware Ecosystem

UNC6692’s toolset, dubbed the SNOW ecosystem, is a coordinated three-component modular framework:

SNOWBELT maintained persistence through a Windows Startup folder shortcut, two scheduled tasks, and a headless Microsoft Edge process silently loading the extension.

SNOWGLAZE masked malicious traffic by wrapping data in Base64-encoded JSON objects over WebSockets, making it appear as standard encrypted web traffic.

After establishing initial access, UNC6692 executed a Python script via SNOWBASIN to scan the local network for open ports 135, 445, and 3389. Using PsExec sessions routed through the SNOWGLAZE tunnel, the attackers enumerated local administrator accounts and initiated an RDP session to a backup server.

On the backup server, the threat actor used Windows Task Manager to dump the LSASS process memory, capturing password hashes, and exfiltrated the dump via LimeWire.

With hashes in hand and safely off the network, the attacker performed offline credential extraction, then used Pass-the-Hash to authenticate directly to domain controllers without ever needing plaintext passwords.

On the domain controller, the attacker downloaded FTK Imager, mounted the local drive, and extracted the Active Directory database (NTDS.dit), SAM, SYSTEM, and SECURITY registry hives, the crown jewels of any Windows enterprise environment.

These were also exfiltrated via LimeWire. EDR telemetry captured the attacker taking targeted screenshots of active FTK Imager and Edge windows, confirming mission completion.

A defining characteristic of the UNC6692 campaign is its systematic abuse of legitimate cloud services for every stage of the attack payload delivery, credential exfiltration, C2 infrastructure, and data staging, all of which relied on trusted platforms like AWS S3 and Heroku.

This “living off the cloud” strategy allows malicious traffic to blend into high volumes of encrypted, reputably sourced web traffic, rendering domain reputation filters and IP-based blocklists largely ineffective.

Defenders must expand visibility beyond traditional process monitoring to include browser extension activity, unauthorized cloud egress traffic, and headless browser processes.

Critically, organizations should restrict or closely monitor Microsoft Teams external access settings to prevent unknown tenants from initiating chat sessions with employees.

As UNC6692 demonstrates, the weakest link in enterprise security is not always a misconfigured server it is an employee who trusts a Teams message from someone claiming to be IT.

Indicators of Compromise (IOCs)

• Phishing URL Pattern: https://service-page-[ID]-outlook.s3.us-west-2.amazonaws.com/update.html?email=
• C2 Server: wss://sad4w7h913-b4a57f9c36eb[.]herokuapp[.]com:443/ws
• SNOWBELT C2 URL Pattern: https://[a-f0-9]{24}-[0-9]{6,7}-[0-9]{1}.s3.us-east-2.amazonaws[.]com
• SNOWBELT VAPID Key: BJkWCT45mL0uvV3AssRaq9Gn7iE2N7Lx38ZmWDFCjwhz0zv0QSVhKuZBLTTgAijB12cgzMzqyiJZr5tokRzSJu0
• Masquerading Files: RegSrvc.exe (AutoHotKey binary), Protected.ahk, SysEvents (SNOWBELT extension directory).

Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.