UNC6692 Exploits Microsoft Teams for Malware Deployment
UNC6692 Exploits Microsoft Teams for Malware Deployment
A new threat actor, dubbed UNC6692, is employing sophisticated social engineering tactics through Microsoft Teams, impersonating IT support to trick users into installing custom malware. This campaign highlights the persistent evolution of attack vectors targeting corporate networks.
Published: 2026-04-23 | Author: Patrick Mattos
Security researchers have identified a novel threat activity cluster, UNC6692, which is actively compromising organizations by leveraging Microsoft Teams for initial access. The group's modus operandi involves impersonating IT helpdesk personnel, a tactic designed to exploit user trust and urgency. This sophisticated social engineering campaign aims to deploy a custom malware suite, impacting businesses by enabling further malicious activities like data theft and network intrusion.
The initial phase of the attack often begins with a large-scale email campaign designed to overwhelm recipients, creating a manufactured sense of urgency. Following this, UNC6692 operatives engage targets via Microsoft Teams, posing as IT support offering to resolve the email flooding issue. This dual-pronged approach, combining email bombardment with direct communication, has proven effective in luring victims into a false sense of security. The observed tradecraft suggests a focus on senior-level employees, indicating a strategic targeting of individuals with privileged access.
Technical Context
UNC6692's attack chain, as detailed by Mandiant, diverges from typical remote access tool exploitation. Instead, victims are directed via Teams chat to click a phishing link, ostensibly to install a "Mailbox Repair and Sync Utility v2.1.5" patch. This link leads to the download of an AutoHotkey script from a compromised AWS S3 bucket.
The AutoHotkey script acts as a gatekeeper, designed to evade security solutions and confirm the target is using Microsoft Edge. If the browser is not Edge, a persistent overlay is displayed. Upon successful validation, the script initiates reconnaissance and deploys SNOWBELT, a malicious Chromium-based browser extension, using the --load-extension command-line switch in Edge's headless mode.
The SNOW malware ecosystem is modular. SNOWBELT, a JavaScript backdoor, communicates with SNOWBASIN for command execution. SNOWGLAZE, a Python tunneler, establishes a secure WebSocket tunnel to the attacker's command-and-control (C2) infrastructure. SNOWBASIN functions as a persistent backdoor, enabling remote command execution via cmd.exe or powershell.exe, file transfers, screenshotting, and self-termination, often running as a local HTTP server. The phishing page also hosts a "Health Check" button that harvests mailbox credentials under the guise of authentication.
Impact and Risk
The primary impact of UNC6692's activities is the compromise of corporate networks, leading to potential data exfiltration, lateral movement, and the deployment of further malicious payloads such as ransomware. The targeting of senior-level employees increases the risk of significant data breaches and business disruption. The use of a custom malware suite suggests a determined and potentially well-resourced adversary. The observed tactic of impersonating IT helpdesk is a common but highly effective social engineering technique that can bypass technical security controls by exploiting human trust.
Defensive Takeaways
Organizations should reinforce security awareness training, particularly concerning unsolicited IT support requests and suspicious links received via internal communication platforms like Microsoft Teams. Implementing robust endpoint detection and response (EDR) solutions capable of identifying script execution and unusual browser extension activity is crucial. Network segmentation and strict egress filtering can help limit the impact of any successful initial compromise. Regularly reviewing and auditing user permissions, especially for senior-level employees, can also mitigate risks associated with credential harvesting. Blocking outbound network connections from Microsoft HTML Application Host (MSHTA.exe) can be a proactive measure against script execution.