Back

UNC6692 Exploits Microsoft Teams for Phishing and Malware Deployment

Severity: High (Score: 72.5)

Sources: Socprime, Thehackernews, Scworld, Notebookcheck, Mandiant

Summary

A threat group identified as UNC6692 has executed a multi-stage intrusion campaign using Microsoft Teams to impersonate IT helpdesk staff. The attack begins with a mass email campaign to overwhelm the target's inbox, followed by a phishing message via Teams that prompts users to install a malicious AutoHotKey payload. This payload deploys a custom malware suite known as SNOW, which includes components like SNOWBELT, SNOWGLAZE, and SNOWBASIN. The malware enables credential theft, lateral movement, and data exfiltration using a rogue Chromium browser extension and a Python-based tunneling utility. The campaign has been linked to significant data breaches, including the theft of LSASS memory and Active Directory database files, which were exfiltrated through LimeWire. Security professionals are advised to monitor for unusual browser extension behavior and implement strict allow-listing policies. The threat has been confirmed through analysis of Teams chat records and network traffic involving AWS S3 and Heroku. Current status indicates ongoing risk to organizations using Microsoft Teams. Key Points: • UNC6692 uses Microsoft Teams to impersonate IT support and deploy malware. • The SNOW malware suite includes components for credential theft and lateral movement. • Organizations should monitor for suspicious browser activity and enforce strict security policies.

Key Entities

  • Unc6692 (apt_group)
  • Data Breach (attack_type)
  • Malware (attack_type)
  • Phishing (attack_type)
  • cloudfront-021.s3.us (domain)
  • service-page-18968-2419-outlook.s3.us-west-2.amazonaws.com (domain)
  • service-page-25144-30466-outlook.s3.us (domain)
  • SNOW (malware)
  • Snowbasin (malware)
  • Snowbelt (malware)
  • Snowglaze (malware)
  • T1003.001 - Lsass Memory (mitre_attack)
  • T1003 - OS Credential Dumping (mitre_attack)
  • T1021.001 - Remote Desktop Protocol (mitre_attack)
  • T1021.002 - SMB/Windows Admin Shares (mitre_attack)
  • T1021 - Remote Services (mitre_attack)
  • Active Directory (platform)
  • Chromium (platform)
  • Edge (platform)
  • Heroku (platform)
  • Linux (platform)
  • AWS (company)
  • LimeWire (company)
  • Microsoft Teams (tool)
  • Python (tool)
  • AutoHotkey (tool)
  • FTK Imager (tool)
  • PSExec (tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed