A newly identified threat group, designated UNC6692, has been caught executing a sophisticated multistage intrusion campaign that weaponizes Microsoft Teams as an initial access vector — and it doesn’t rely on a single software vulnerability to do it. Instead, it manipulates employee trust in a workplace tool that millions use every day. Google Threat Intelligence Group (GTIG) and Mandiant disclosed the campaign on April 22, 2026, following an investigation into enterprise breaches that culminated in full domain-level compromise.
The Attack Begins with an Email Flood
In late December 2025, UNC6692 launched a mass email bombing campaign against its targets, deliberately overwhelming employee inboxes with thousands of messages to create confusion and urgency. With victims distracted and looking for solutions, the attackers delivered the critical blow: a phishing message sent directly over Microsoft Teams, with the attacker posing as an IT helpdesk employee offering to help with the email problem.
This technique exploits a legitimate feature of Microsoft Teams that allows external users from outside an organization to initiate chat sessions with employees. Victims who accepted the chat invitation — which involved overriding multiple security warnings that Microsoft clearly displays — granted the attacker an initial communication channel inside the organization’s perimeter.
From Teams Chat to Full Domain Compromise: The SNOW Ecosystem
Once the attacker established communication, the victim was directed to click a link to install a “local patch” to stop the email flooding. The link pointed to a convincing phishing page hosted on an attacker-controlled AWS S3 bucket, masquerading as a “Mailbox Repair and Sync Utility.” The attack then unfolded across four phases:
- Phase 1 – Environment Gating: A gatekeeper script checked for a mandatory URL parameter and forced victims onto Microsoft Edge via the microsoft-edge: URI scheme.
- Phase 2 – Credential Harvesting: A fake “Health Check” triggered an authentication prompt that deliberately rejected the first two password entries — a psychological trick to ensure the captured credentials were typo-free before exfiltrating them to an S3 bucket.
- Phase 3 – Distraction Sequence: A fake progress bar displayed plausible messages while real-time data exfiltration occurred in the background.
- Phase 4 – Malware Staging: An AutoHotkey binary downloaded and installed SNOWBELT, a malicious Chromium browser extension disguised as “MS Heartbeat” or “System Heartbeat.”
The Three-Component SNOW Malware Suite
UNC6692’s toolset — collectively called the SNOW ecosystem — is a modular, coordinated framework with three distinct components working in concert:
- SNOWBELT: A JavaScript browser extension that serves as the initial foothold. It intercepts and relays command-and-control instructions and uses DGA-based S3 URLs for its C2 channel. It maintained persistence through Windows Startup folder shortcuts, scheduled tasks, and a headless Edge process.
- SNOWGLAZE: A Python-based WebSocket tunneler that routes TCP traffic from the victim machine through a SOCKS proxy to a Heroku C2 server, wrapping data in Base64-encoded JSON to blend in with encrypted web traffic.
- SNOWBASIN: A Python local HTTP server on port 8000 that executes shell commands, captures screenshots, and exfiltrates files on attacker command.
Domain Pillaged via “Living Off the Cloud”
After establishing a foothold, UNC6692 moved laterally using PsExec sessions routed through the SNOWGLAZE tunnel. The attackers dumped LSASS memory to obtain password hashes, then used Pass-the-Hash to authenticate directly to domain controllers. On the DC, they used FTK Imager to extract the Active Directory database (NTDS.dit), SAM, SYSTEM, and SECURITY registry hives.
Every stage of the attack leveraged trusted cloud platforms — AWS S3 and Heroku — for payload delivery, credential exfiltration, and C2. This “living off the cloud” strategy allowed malicious traffic to blend seamlessly into legitimate encrypted web traffic, defeating domain reputation filters and IP-based blocklists.
Defensive Recommendations
Organizations should take immediate steps to reduce exposure to campaigns like UNC6692’s. Restrict Microsoft Teams external access settings to prevent unknown tenants from initiating employee chat sessions. Expand endpoint visibility to include browser extension activity and headless browser processes, and monitor for unauthorized cloud egress traffic to platforms like S3 and Heroku. Employee awareness training should treat unsolicited IT helpdesk contact via Teams from external accounts with the same scrutiny as phishing emails. As UNC6692 demonstrates, the weakest link in enterprise security is often not a misconfigured server — it is an employee who trusts a Teams message from someone claiming to be IT.