Mandiant and Google Threat Intelligence Group exposed a previously undocumented threat cluster designated UNC6692 that impersonates IT help desk workers via Microsoft Teams to breach corporate networks, according to research published on April 24, 2026.
- UNC6692 has been active since late December 2025, using email bombing followed by Microsoft Teams messages to impersonate IT support staff.
- The group deploys a three-part SNOW malware suite: SNOWBELT (browser extension backdoor), SNOWGLAZE (WebSocket tunneler), and SNOWBASIN (persistent backdoor).
- ReliaQuest data shows 77% of incidents from March 1 to April 1, 2026, targeted senior-level employees, up from 59% in the first two months of 2026.
- The attack chain progresses from credential harvesting through a fake Mailbox Repair Utility to domain controller compromise via LSASS memory extraction and pass-the-hash techniques.
- Microsoft Teams allows external messaging from all domains by default, creating the initial attack surface UNC6692 exploits.
Google Threat Intelligence Group and Mandiant researchers JP Glab, Tufail Ahmed, Josh Kelley, and Muhammad Umair detailed the campaign, codenamed Snow Flurries, in a blog post published April 24, 2026. The campaign has been active since late December 2025 and targets corporate environments through Microsoft Teams external messaging.
The attack begins with a large-scale email campaign designed to overwhelm the target’s inbox, creating urgency and distraction. The attacker then contacts the victim via Microsoft Teams using an external account, posing as IT support, and directs them to install a patch to stop the spam.
The link opens a fake Mailbox Repair and Sync Utility v2.1.5 page hosted on AWS S3. The page enforces Microsoft Edge usage through a persistent overlay warning and harvests credentials using a double-entry trick that rejects the first and second password attempts to reinforce belief the system is legitimate and capture the password twice.
Exfiltration of stolen credentials occurs via asynchronous PUT requests to attacker-controlled Amazon S3 buckets.
The SNOW malware ecosystem comprises three components working as a coordinated pipeline from browser-based access to internal network compromise.
SNOWBELT is a JavaScript-based Chromium browser extension that masquerades as MS Heartbeat or System Heartbeat. It uses a time-based domain generation algorithm for command-and-control communication via AWS S3 with AES-GCM encryption, operating in 30-minute intervals.
SNOWGLAZE is a Python-based tunneler that creates a secure, authenticated WebSocket tunnel between the victim’s internal network and the attacker’s command-and-control server. It supports SOCKS proxy operations for arbitrary TCP traffic routing, using Microsoft Edge User-Agent masquerading to blend into normal browser traffic.
SNOWBASIN operates as a persistent backdoor enabling remote command execution via cmd.exe or powershell.exe, screenshot capture, file upload/download, and self-termination.
Post-compromise activity includes internal reconnaissance scanning for ports 135, 445, and 3389, LSASS memory extraction via Windows Task Manager, pass-the-hash authentication to domain controllers, and deployment of FTK Imager to extract the Active Directory database file NTDS.dit, Security Account Manager, SYSTEM registry hive, and SECURITY registry hive. All extracted files were exfiltrated via LimeWire.
According to ReliaQuest researchers John Dilgen and Alexa Feminella, 77% of observed incidents from March 1 to April 1, 2026, targeted senior-level employees, up from 59% in the first two months of 2026. Chats were initiated 29 seconds apart, indicating automated or semi-automated deployment of the social engineering phase. The rapid targeting mirrors voice phishing escalation patterns tracked across April 2026 breach campaigns.
The tactics have been previously associated with former Black Basta affiliates.
UNC6692 abuses legitimate cloud services including AWS S3 for payload delivery and exfiltration, and Heroku for WebSocket tunneling, bypassing traditional domain reputation filters. This pattern compounds the cybersecurity attack trends documented across recent breach campaigns where threat actors shelter behind trusted cloud providers.
Microsoft Teams allows external messaging from all domains by default, according to Microsoft’s own admin documentation. Administrators can restrict or block external domains via the Teams admin center under Users then External access, or through the Set-CsTenantFederationConfiguration PowerShell cmdlet.
Employees most targeted by UNC6692 face the least friction receiving external Teams messages from unknown domains.
Defense recommendations published alongside the April 24, 2026, disclosure include enforcing help desk verification workflows, restricting external Teams messaging and screen-sharing, hardening PowerShell execution policies, and treating collaboration tools as primary attack surfaces.
UK organisations breached through this vector face ICO notification obligations within 72 hours under UK GDPR Article 33. Small business security teams without dedicated Teams administrators face the highest exposure.
The UNC6692 campaign demonstrates that collaboration platforms have become primary attack surfaces. When 77% of incidents target senior employees, the risk concentrates where network privileges are broadest.
Enterprise security teams should audit Microsoft Teams external access policies this week, restricting external domains to a verified allow-list. Mandiant’s YARA detection rules for SNOWBELT, SNOWGLAZE, and SNOWBASIN are freely available for deployment. Organisations should implement a secondary verification channel for any help desk request received via Teams to counter the social engineering vector.
