Cybercriminals Exploit Microsoft Teams by Impersonating IT Support to Infiltrate Organizations
A newly identified threat group, UNC6692, has orchestrated a sophisticated, multi-stage intrusion campaign that leverages Microsoft Teams impersonation, a custom modular malware suite, and cloud infrastructure abuse to deeply penetrate enterprise networks—all without exploiting a single software vulnerability.
In late December 2025, UNC6692 initiated a mass email bombing campaign against targeted organizations, deliberately flooding inboxes to create a sense of urgency and confusion. Amidst this chaos, the attackers sent phishing messages directly through Microsoft Teams, posing as IT helpdesk employees offering assistance with the email deluge. This tactic exploits the trust employees place in internal communication tools, making it particularly insidious.
Once contact was established, the attackers directed victims to click a link to install a local patch purportedly designed to prevent further email spamming. This link led to a convincing phishing landing page masquerading as a Mailbox Repair and Sync Utility v2.1.5, hosted on an attacker-controlled AWS S3 bucket. The attack unfolded in several phases:
1. Environment Gating: A gatekeeper script checked the URL for a mandatory `?email=` parameter and forced victims onto Microsoft Edge via the `microsoft-edge:` URI scheme, ensuring exploits would be most effective.
2. Credential Harvesting: A fake Health Check triggered an authentication prompt that rejected the first two password attempts by design—a psychological double-entry trick to ensure typo-free credential capture before exfiltrating them to an S3 bucket.
3. Distraction Sequence: A fake progress bar displayed messages like Parsing configuration data and Checking mailbox integrity to mask real-time data exfiltration in the background.
4. Malware Staging: While the progress bar ran, an AutoHotkey binary and script were downloaded from AWS S3 and automatically executed upon landing in the same directory—installing SNOWBELT, a malicious Chromium browser extension masquerading as MS Heartbeat or System Heartbeat.
UNC6692’s toolset, dubbed the SNOW ecosystem, comprises three coordinated components:
– SNOWBELT: A JavaScript browser extension that serves as the initial foothold, intercepting and relaying command-and-control (C2) commands using domain generation algorithm (DGA)-based S3 URLs.
– SNOWGLAZE: A Python-based WebSocket tunneler that routes TCP traffic through the victim’s machine via a SOCKS proxy to a Heroku C2 server, effectively masking malicious traffic.
– SNOWBASIN: A Python local HTTP server (operating on port 8000) that executes shell commands, captures screenshots, and exfiltrates files.
SNOWBELT maintains persistence through a Windows Startup folder shortcut, two scheduled tasks, and a headless Microsoft Edge process silently loading the extension. SNOWGLAZE disguises malicious traffic by wrapping data in Base64-encoded JSON objects over WebSockets, making it appear as standard encrypted web traffic.
After establishing initial access, UNC6692 executed a Python script via SNOWBASIN to scan the local network for open ports 135, 445, and 3389. Using PsExec sessions routed through the SNOWGLAZE tunnel, the attackers enumerated Active Directory, dumped credentials, and moved laterally across the network.
This campaign underscores the evolving tactics of cybercriminals who exploit trusted communication platforms like Microsoft Teams to deceive employees and infiltrate organizations. It highlights the critical need for organizations to implement robust security measures, conduct regular employee training on phishing awareness, and maintain vigilant monitoring of internal communication channels to detect and prevent such sophisticated attacks.
