New Threat Cluster UNC6692 Exploits Microsoft Teams to Breach Corporate Networks Mandiant and Google Threat Intelligence Group uncovered a previously unknown threat cluster, UNC6692, which has been active since late December 2025, impersonating IT help desk workers via Microsoft Teams to infiltrate corporate networks. The campaign, dubbed Snow Flurries, was detailed in a report published on April 24, 2026, revealing a sophisticated attack chain leveraging social engineering and custom malware. ### Attack Methodology UNC6692 initiates attacks with email bombing to overwhelm targets, followed by Microsoft Teams messages from external accounts posing as IT support. Victims are tricked into installing a fake "Mailbox Repair and Sync Utility" hosted on AWS S3, which harvests credentials through a deceptive double-entry password prompt. Stolen credentials are exfiltrated via asynchronous PUT requests to attacker-controlled Amazon S3 buckets. ### The SNOW Malware Suite The threat group deploys a three-part malware ecosystem: - SNOWBELT: A JavaScript-based Chromium extension (disguised as "MS Heartbeat") that communicates with command-and-control (C2) servers via AES-GCM-encrypted AWS S3 traffic in 30-minute intervals. - SNOWGLAZE: A Python-based WebSocket tunneler that establishes a secure, authenticated proxy between the victim’s network and the attacker’s C2, masquerading as Microsoft Edge traffic. - SNOWBASIN: A persistent backdoor enabling remote command execution, file exfiltration, and screenshot capture. Post-compromise, UNC6692 conducts internal reconnaissance, extracts LSASS memory via Windows Task Manager, and uses pass-the-hash techniques to compromise domain controllers. Attackers deploy FTK Imager to extract Active Directory databases (NTDS.dit) and registry hives, exfiltrating data via LimeWire. ### Targeting & Automation ReliaQuest data indicates 77% of incidents from March 1 to April 1, 2026, targeted senior-level employees, up from 59% in early 2026. The group automates social engineering, initiating Teams chats 29 seconds apart, mirroring patterns seen in recent voice phishing campaigns. Tactics align with former Black Basta affiliates, leveraging legitimate cloud services (AWS S3, Heroku) to evade detection. ### Exploitation of Microsoft Teams Defaults Microsoft Teams’ default setting allowing external messaging from any domain creates a critical attack surface. While administrators can restrict external access via the Teams admin center or PowerShell, many organizations remain vulnerable due to lack of policy enforcement. ### Broader Implications The campaign underscores the growing threat to collaboration platforms, with senior employees who often possess elevated network privileges bearing the highest risk. UK organizations breached via this vector face 72-hour GDPR notification requirements, while small businesses without dedicated Teams administrators are particularly exposed. Mandiant has released YARA detection rules for SNOW malware components, and security teams are advised to audit Teams external access policies and implement secondary verification for help desk requests.