RSS
Last updated: May 14, 2026 at 10:49 AM UTC
All 219 Vulnerability 76 Breach 45 Threat 91 Defense 7
Tag: unc6692 (1 article)Clear
threat
2026-04-22

Mandiant outs UNC6692 running IT-helpdesk impersonation over Microsoft Teams to deploy custom SNOW malware suite

Google's Mandiant team published a report on April 22 naming UNC6692, a previously untracked threat cluster running a high-conversion social engineering playbook against senior enterprise staff - 77% of observed targets were senior employees between March 1 and April 1, 2026. The attack opens with an email bombing burst, flooding the victim's inbox with spam to create urgency. The operator then sends a Microsoft Teams chat invite from an external account, posing as internal IT help, and offers to fix the spam problem via a link to a convincing phishing page called 'Mailbox Repair and Sync Utility v2.1.5'. The page forces Microsoft Edge via the microsoft-edge: URI scheme, harvests credentials through a fake 'Health Check' button, and downloads an AutoHotkey script from attacker-controlled AWS S3 that installs the SNOW malware family: SNOWBELT (a malicious Edge/Chromium extension disguised as 'MS Heartbeat' that holds persistence through Scheduled Tasks and a Startup-folder shortcut), SNOWGLAZE (a Python WebSocket tunneler wrapping traffic in Base64-encoded JSON), and SNOWBASIN (a Python bindshell for interactive remote control). Post-exploitation includes LSASS dumps, Pass-the-Hash lateral movement, PsExec and RDP over the SNOWGLAZE tunnel, and exfil via LimeWire.

unc6692snowsnowbeltsnowglazesnowbasinmicrosoft-teamsemail-bombinghelpdesk-impersonationmandiantsocial-engineering
Check
Block external Microsoft Teams chat invites to staff who do not need external collaboration (this should be the default for most organizations) and brief senior staff this week that an IT-helpdesk message over Teams asking them to install a fix is almost certainly hostile.
Affected
Any organization using Microsoft Teams with federated/external chat enabled by default, especially those without a standing 'IT never messages you on Teams without a pre-existing ticket' policy. Senior employees are disproportionately targeted. Windows endpoints are the payload platform, but the human layer is the actual vulnerability.
Fix
In Teams Admin Center, restrict external access so that external users cannot initiate chats with internal staff - require an internal user to invite them first. Alert on AutoHotkey binary execution from any path, on unexpected Chromium/Edge extensions appearing under Scheduled Tasks or Startup folders (especially ones named 'Heartbeat'), and on new outbound WebSocket traffic to AWS S3, CloudFront, or Heroku-hosted endpoints from user endpoints. Run a targeted awareness push to senior staff: show them the 'Mailbox Repair Utility' lure screenshots, emphasize that IT will never ask them to run a 'local patch' over Teams, and give them a one-click way to report a suspicious Teams DM.