A new cyber threat group, UNC6692, is making waves with a clever strategy that’s catching many organizations off guard. Instead of exploiting software bugs, they’re using familiar tools like Microsoft Teams to trick employees into giving up sensitive information.
Researchers from the Google Threat Intelligence Group and Mandiant revealed these tactics in April 2026. The group employs a multi-step attack plan that targets the trust people have in everyday tools at work.
Back in December 2025, UNC6692 launched a mass email attack to flood inboxes. This chaos created confusion and urgency, making it easier for them to send out a phishing message through Microsoft Teams, posing as IT helpdesk staff offering help with the email overload.
This isn’t about finding new vulnerabilities; it’s about exploiting the trust employees place in their communications. Microsoft pointed out in its advisory that UNC6692 skillfully manipulates legitimate Teams features, convincing users to ignore security warnings.
When victims accepted a chat invitation from an unknown account, they unwittingly opened the door for the attackers.
After gaining contact, the attacker led victims to click a link promising to help patch their overflowing inbox. Instead, this link directed them to a phishing page disguised as a “Mailbox Repair and Sync Utility” on a site controlled by the attackers.
The attack follows a detailed plan:
- **Initial Phase:** A script checks for specific email parameters and forces victims onto Microsoft Edge to boost the success of the attack.
- **Credential Harvesting:** A fake “Health Check” simulates an authentication prompt, ensuring users enter their credentials error-free.
- **Deceptive Feedback:** A fake progress bar creates a false sense of security while data is being stolen in the background.
- **Malware Installation:** As users think they’re fixing an issue, malware is downloaded and executed.
The toolkit used by UNC6692, known as the SNOW ecosystem, consists of three parts:
- **SNOWBELT:** A browser extension that establishes the first foothold and communicates with the attackers.
- **SNOWGLAZE:** A tool that routes internet traffic through the victim’s computer, allowing hackers to remain hidden.
- **SNOWBASIN:** A server that carries out commands and captures screenshots, exfiltrating data stealthily.
Once initial access is gained, attackers scan for weaknesses, collect password hashes, and even extract entire databases, all while blending in with legitimate web traffic. This makes detection extremely difficult for traditional security measures.
One major takeaway from UNC6692’s activities is the crucial role of employee vigilance. According to research from Cybersecurity & Infrastructure Security Agency (CISA), over 90% of successful cyberattacks start with social engineering tactics. Thus, training employees to recognize these schemes is essential.
Organizations should tighten security around external communications in tools like Microsoft Teams and develop a culture of skepticism toward unexpected messages, regardless of the source.
As cyber threats evolve, staying informed and prepared is key. Regular training and awareness initiatives can help organizations fortify their defenses against these sophisticated attacks.
For more on cybersecurity threats and prevention strategies, check out resources from CISA.
