A sophisticated attack targeting Microsoft Teams has been uncovered by Google. The campaign, launched by a group referred to as UNC6692, employs social engineering tactics to manipulate users into exposing sensitive data. Unlike typical phishing attempts, this operation utilizes a blend of traditional and advanced manipulation techniques to gain unauthorized access and extract critical data.
Attackers pose as IT helpdesk staff to reinforce user trust, utilizing a customized malware ecosystem to establish persistent access and facilitate lateral movement within networks. Google’s Threat Intelligence Group explains, “This serves two functions: it reinforces the user’s belief that the system is legitimate and performs real-time validation, and it ensures that the attacker captures the password twice, significantly reducing the risk of a typo in the stolen data.”
The campaign initiates with email bombardments, followed by direct Teams communication where attackers masquerade as support staff. Victims are misguided towards a malicious “Mailbox Repair Utility,” designed to mimic legitimate software. They are instructed to input credentials twice, enhancing trust while capturing precise login details.
Subsequent procedures involve a staged malware payload, comprising AutoHotkey scripts and a malicious extension known as SnowBelt. This enables persistent browser-based intrusion, operating stealthily without user awareness. The broader malware suite—termed “Snow”—contains modules like SnowBelt for persistence and command relay, SnowGlaze for tunneling, and SnowBasin for remote access. These allow attackers to execute commands, exfiltrate data, and compromise pivotal assets.
The campaign marks a shift towards leveraging real-time collaboration tools for more convincing attacks, moving beyond traditional email phishing. By fusing email bombing with Teams communication, attackers craft realistic narratives, compelling users to act swiftly. Incorporating custom malware and discreet persistence tactics signifies a move away from generic attack kits towards more calculated, long-term strategies.
For enterprises, this highlights the trend of trusted platforms being used for attacks initiated elsewhere. Microsoft Teams, once deemed lower risk, is now a primary entry point. Organizations must re-evaluate user training and technical defenses. Implementing stringent verification protocols and external communication policies is essential to safeguard against such advanced threats.
As attackers refine their social engineering arsenal and integrate tailored tools, unified communications platforms remain attractive targets. Enterprises adapting their security approaches to this reality will be better equipped to thwart increasingly sophisticated threats, maintaining a robust defense ecosystem.
