UNC6692 Uses Microsoft Teams Help Desk Impersonation to Deploy SNOW Malware

Severity
Medium

Detail

A newly identified threat cluster known as UNC6692 is conducting sophisticated social engineering attacks by impersonating IT help desk staff through Microsoft Teams to compromise corporate systems.

According to Mandiant, the attackers initiate campaigns by flooding a target’s inbox with spam emails, creating urgency and confusion. They then contact the victim via Teams, posing as IT support to “help” resolve the issue. This tactic is particularly effective against senior employees and executives, who are increasingly being targeted.

Unlike traditional attacks that rely solely on phishing emails, this campaign combines real-time interaction with victims and abuse of trusted enterprise tools, making it more convincing and harder to detect.

How?

The attack begins with email bombing to overwhelm the victim, followed by a Teams message from the attacker pretending to be IT support. The victim is then tricked into clicking a phishing link labeled as a “Mailbox Repair and Sync Utility.”

Once clicked, the victim downloads an AutoHotkey script from an attacker-controlled cloud server. This script performs reconnaissance and ensures the target environment meets specific conditions before proceeding. It then installs a malicious browser extension called SNOWBELT on Microsoft Edge by launching the browser in headless mode.

The SNOWBELT extension acts as a backdoor, allowing attackers to download additional components such as SNOWGLAZE and SNOWBASIN. SNOWGLAZE creates a secure tunnel between the victim’s network and the attacker’s command-and-control (C2) server, while SNOWBASIN enables persistent remote access, command execution, file transfer, and screenshot capture.

In parallel, the phishing page may prompt the user to enter their mailbox credentials under the guise of a system “health check,” which are then stolen and exfiltrated.

After gaining access, attackers perform reconnaissance, move laterally within the network, escalate privileges (e.g., dumping LSASS memory), and extract sensitive data such as Active Directory databases. Data exfiltration is often carried out using legitimate tools, helping the attackers blend in with normal activity.

Impact

• Compromise of enterprise systems and user credentials
• Persistent remote access via modular malware (SNOW toolkit)
• Lateral movement across corporate networks
• Theft of sensitive business and directory data
• Increased risk of ransomware deployment or extortion

Recommendation & Conclusion

To mitigate such attacks, organizations should:

• Restrict and monitor external communications on Microsoft Teams
• Verify IT support interactions through official internal channels
• Train employees to recognize help desk impersonation tactics
• Monitor for unusual script execution (AutoHotkey, PowerShell)
• Detect unauthorized browser extensions and headless browser activity
• Implement strong endpoint detection and network monitoring

In conclusion, the UNC6692 campaign highlights a shift toward interactive, human-driven attacks that exploit trust in enterprise collaboration tools. By combining social engineering with modular malware and legitimate services, attackers can gain deep access while remaining under the radar, making user awareness and behavioral detection critical defenses.

Source

https://thehackernews.com/2026/04/unc6692-impersonates-it-helpdesk-via.html