RSS
Last updated: May 14, 2026 at 10:49 AM UTC
All 219 Vulnerability 76 Breach 45 Threat 91 Defense 7
Tag: helpdesk-impersonation (2 articles)Clear
threat
2026-04-22

Mandiant outs UNC6692 running IT-helpdesk impersonation over Microsoft Teams to deploy custom SNOW malware suite

Google's Mandiant team published a report on April 22 naming UNC6692, a previously untracked threat cluster running a high-conversion social engineering playbook against senior enterprise staff - 77% of observed targets were senior employees between March 1 and April 1, 2026. The attack opens with an email bombing burst, flooding the victim's inbox with spam to create urgency. The operator then sends a Microsoft Teams chat invite from an external account, posing as internal IT help, and offers to fix the spam problem via a link to a convincing phishing page called 'Mailbox Repair and Sync Utility v2.1.5'. The page forces Microsoft Edge via the microsoft-edge: URI scheme, harvests credentials through a fake 'Health Check' button, and downloads an AutoHotkey script from attacker-controlled AWS S3 that installs the SNOW malware family: SNOWBELT (a malicious Edge/Chromium extension disguised as 'MS Heartbeat' that holds persistence through Scheduled Tasks and a Startup-folder shortcut), SNOWGLAZE (a Python WebSocket tunneler wrapping traffic in Base64-encoded JSON), and SNOWBASIN (a Python bindshell for interactive remote control). Post-exploitation includes LSASS dumps, Pass-the-Hash lateral movement, PsExec and RDP over the SNOWGLAZE tunnel, and exfil via LimeWire.

unc6692snowsnowbeltsnowglazesnowbasinmicrosoft-teamsemail-bombinghelpdesk-impersonationmandiantsocial-engineering
Check
Block external Microsoft Teams chat invites to staff who do not need external collaboration (this should be the default for most organizations) and brief senior staff this week that an IT-helpdesk message over Teams asking them to install a fix is almost certainly hostile.
Affected
Any organization using Microsoft Teams with federated/external chat enabled by default, especially those without a standing 'IT never messages you on Teams without a pre-existing ticket' policy. Senior employees are disproportionately targeted. Windows endpoints are the payload platform, but the human layer is the actual vulnerability.
Fix
In Teams Admin Center, restrict external access so that external users cannot initiate chats with internal staff - require an internal user to invite them first. Alert on AutoHotkey binary execution from any path, on unexpected Chromium/Edge extensions appearing under Scheduled Tasks or Startup folders (especially ones named 'Heartbeat'), and on new outbound WebSocket traffic to AWS S3, CloudFront, or Heroku-hosted endpoints from user endpoints. Run a targeted awareness push to senior staff: show them the 'Mailbox Repair Utility' lure screenshots, emphasize that IT will never ask them to run a 'local patch' over Teams, and give them a one-click way to report a suspicious Teams DM.
threat
2026-04-21

Microsoft warns of external Teams chats abused for helpdesk impersonation - 9-stage attack chain uses Quick Assist and Rclone for data theft

Microsoft Threat Intelligence is warning of a surge in attacks where threat actors pose as IT or helpdesk staff in external Microsoft Teams cross-tenant chats to trick employees into granting remote access - then use legitimate tools to steal data while blending into normal IT activity. The attack chain has nine stages. First, the attacker opens an external Teams chat claiming to be internal IT addressing an account issue. They talk the target into starting a Quick Assist remote support session, giving the attacker direct control of the machine. From there they do quick recon via Command Prompt and PowerShell, drop a small payload in user-writable locations like ProgramData, and execute it through DLL side-loading using a trusted signed application (Autodesk, Adobe Reader, Windows Error Reporting, or even data loss prevention software - any binary with a valid Microsoft-trusted signature). HTTPS C2 blends into normal outbound traffic. They establish persistence via Windows Registry, then use Windows Remote Management (WinRM) to move laterally to domain controllers and high-value assets. Final stage: Rclone exfiltrates filtered data to external cloud storage. Microsoft's detection guidance is blunt - this blends into legitimate admin activity and is hard to distinguish from routine IT support.

microsoft-teamssocial-engineeringhelpdesk-impersonationquick-assistrclonewinrmdll-sideloadingliving-off-the-land
Check
Audit your Teams tenant configuration today. Do external users from unknown tenants have the ability to start chats with your employees? If yes, this attack vector is open.
Affected
Any organization using Microsoft Teams with external collaboration enabled, particularly with 'Anyone' or broad external access allowed. Non-technical staff who may not recognize the pattern of an external Teams contact impersonating IT. Environments where Quick Assist is not restricted and WinRM is widely enabled.
Fix
In Teams Admin Center, set External Access to allow only specific trusted domains (not 'Anyone'). Train staff to treat any external Teams contact claiming to be IT as hostile by default - legitimate internal IT does not chat from an external tenant. Restrict or audit Quick Assist: if you don't use it, disable it via GPO or Intune. Limit WinRM to specific admin jump boxes rather than allowing it across the domain. Monitor for Rclone execution (filename and parent process) - there's essentially no legitimate business reason for Rclone to run on endpoint machines. Flag any outbound HTTPS traffic from endpoints to consumer cloud storage domains (Mega, Dropbox, Google Drive) that doesn't match expected user behavior.