Hackers are impersonating Microsoft Teams help desk workers to trick victims into installing data-stealing malware, according to a new report from Mandiant.
The campaign, attributed to a newly tracked threat cluster known as UNC6692, combines email flooding, phishing messages and malicious browser extensions to gain access to corporate systems, researchers at the Google-owned cybersecurity company said.
The operation begins with a large wave of emails designed to overwhelm a targeted inbox, after which the attacker reaches out via Microsoft Teams using an account outside the victim’s organization, posing as an IT support worker offering help with the email disruption.
During the conversation, the victim is instructed to install what appears to be a “patch” meant to stop the spam. Clicking the link opens a website masquerading as a “Mailbox Repair Utility,” prompting the user to download a script that ultimately installs a malicious browser extension called SnowBelt, according to Mandiant.
SnowBelt functions as a backdoor that allows attackers to maintain access to corporate accounts and move through internal systems without repeated authentication.
Once installed, the extension can download additional components, including malware tools dubbed SnowGlaze and SnowBasin, along with AutoHotkey scripts and a portable Python environment used to run further malicious code.
The phishing page itself uses several social-engineering techniques to increase the likelihood of compromise. If a victim attempts to access the page from a browser other than Microsoft Edge, the site displays a persistent overlay urging the user to switch to Edge — steering them into a browser environment where the attack is most effective.
Another trick targets user behavior during login attempts. The credential-harvesting script deliberately rejects the first two password submissions, prompting victims to re-enter their credentials. According to researchers, this tactic both reinforces the illusion of a legitimate system and ensures the attackers capture the password twice, reducing the chance of errors in the stolen data.
“The UNC6692 campaign demonstrates an interesting evolution in tactics,” Mandiant researchers said. “It combines social engineering, custom malware and a malicious browser extension while exploiting the trust users place in common enterprise platforms.”
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.
