Google Threat Intelligence Group and Mandiant revealed on April 22 the details of an attack that exploited no technical vulnerabilities. The UNC6692 group did not break into any servers — it convinced employees to open the doors themselves.
First — panic, then — "help"
In late December 2025, targeted companies received a massive email spam attack: employee mailboxes were literally blocked by thousands of messages. While the victim was searching for a way out of the chaos, a message appeared in Microsoft Teams from a "colleague from IT support" — offering to install a patch that would "stop the spam".
A critical detail that is easy to miss: the message came from an external account. Teams allows such contacts by default — and most employees don't pay attention to the "External" label.
"UNC6692 relied on impersonating IT helpdesk employees, convincing victims to accept chat invitations in Teams from an account outside the organization".
— Mandiant researchers JP Glab, Tufail Ahmed, Josh Kelley, and Muhammad Umair
SNOW: not one tool, but a conveyor
Following the link led to a fake "Mailbox Repair and Sync Utility" page — and only in the Microsoft Edge browser (the page forced switching to it via URI scheme). Clicking the "Health Check" button collected credentials and sent them to the attackers' S3 bucket.
Then a modular malware system called SNOW unfolded:
- SNOWBELT — malicious Chromium browser extension, persistent backdoor channel;
- SNOWGLAZE — Python tunneler that built an encrypted WebSocket bridge between the victim's network and the attacker's C2 server;
- SNOWBASIN — persistent backdoor with the ability to execute commands via PowerShell, capture screenshots, and download files.
After establishing a foothold in the system, attackers scanned the internal network for ports 135, 445, and 3389, dumped the LSASS process memory, and extracted NTDS.dit files — essentially a complete Active Directory user database.
77% of victims — senior management
According to researchers, between March 1 and April 1, 2026, approximately 77% of recorded incidents targeted senior executives and senior employees. The logic is simple: they have the broadest access to sensitive systems and the least time to verify each request from "IT".
The tactic of email bombardment followed by "help" via Teams is not new. As TechJuice notes, this approach was previously actively used by affiliates of the Black Basta group, which ceased operations in early 2025. UNC6692 either borrowed the method or inherited it from former members.
Microsoft fixed it — but not everywhere and not automatically
In January 2026, Microsoft rolled out the ability to block external Teams users directly through the Defender portal, consolidating access management in a single Tenant Allow/Block List interface. Previously, administrators had to switch between several control panels.
The problem is that the feature is not enabled automatically: it requires Defender for Office 365 Plan 1 or Plan 2, as well as separate Teams Admin Center configuration. According to Microsoft's estimates, over 320 million people use Teams monthly — and a significant portion of their organizations still haven't changed the default settings.
The UNC6692 attack exploited no technical vulnerabilities — only the fact that Teams is open to external contacts and employees trust messages in a "secure" corporate chat. If your organization still hasn't restricted external requests in Teams and hasn't enabled blocking through Defender, the question is not "can this happen" but — when exactly will that "support technician" arrive?
