A new threat actor theGoogle Threat Intelligence Group (GTIG) calls UNC6692 has been impersonating help desk employees who bombard users with spam and convince them to accept aMicrosoft Teams chat invitation in which the attacker then takes over the user’s computer after the user unwittingly loads a “patch” sent over Teams that’s actually a phishing link.Once gaining entry via the phishing link, UNC6692 loads the SNOW malware, moving laterally and exfiltrating data along the way. GTIG researchers said the UNC6692 campaign demonstrates how modern attackers can blend social engineering and technical evasion to gain a foothold into a network. By hosting malicious components on trusted cloud platforms such as Teams, attackers can bypass traditional network reputation filters and blend into the high volume of legitimate cloud traffic.“Email bombing followed by helpdesk impersonation has been a reliable attack chain for years,” said Shane Barney, chief information security officer at Keeper Security. “UNC6692 did not reinvent it, but they refined it. The Microsoft Teams delivery mechanism is the update worth paying attention to, and it works precisely because organizations have spent years conditioning employees to be suspicious of email.”Barney added that Microsoft Teams occupies different psychological territory: many users believe that it’s internal, sanctioned and safe. Pair that with an inbox already flooded with spam, and victims are primed to accept help from whoever shows up first.Jason Barnhizer, director of threat operations at Blackpoint Cyber, said this campaign represents something genuinely new as well as a repackaged classic social engineering — and that’s why teams need to pay attention.“The email bombing and helpdesk impersonation sequence is not new, this combination has been a tactic long embraced and wasnoted by usin December 2025 in conjunction with leveraging RMM tools for further access and abuse,” said Barnhizer.However, Barnhizer pointed out that rather than pushing victims toward RMM tools, the victim gets instructed to click a phishing link shared via Teams chat to install a local patch rather than dropping an RMM Tool. Once the user installs the “patch” the malware gets dropped and the attack commences.“That level of custom tooling investment signals a threat actor operating with more resources and intent than a typical opportunistic crew,” said Barnhizer.Jason Soroko, a senior fellow at Sectigo, added that the integration of Microsoft Teams into this attack chain serves as the modern twist on what are legacy tactics. Attackers understand that employees inherently trust internal communication platforms and view them as secure spaces for corporate collaboration, said Soroko.“Bypassing traditional email filters to directly message senior staff allows the malicious actors to exploit the presumed legitimacy of the application,” said Soroko. “This campaign highlights how threat groups continuously adapt their delivery mechanisms to subvert contemporary security controls while relying on the exact same fundamental deceptions that have proven effective for years.”
Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
