Microsoft Teams is being targeted by a sophisticated social engineering campaign uncovered by Googleβs threat intelligence team.
The activity, spotted in late December 2025 and attributed to a group tracked as UNC6692, blends classic phishing tactics with more advanced intrusion techniques to achieve deep network compromise and steal sensitive data.
At a high level, the attack hinges on impersonating IT helpdesk personnel and exploiting user trust in internal support channels.
While helpdesk impersonation is not new, Googleβs findings suggest this campaign operates at a more advanced level than typical phishing efforts, with a custom-built malware ecosystem and a clear focus on persistence and lateral movement.
Inside the βSnowβ Malware Ecosystem
The attack begins with attackers overwhelming victims with email spam. They then contact the victim via Teams, posing as a helpdesk worker and offering assistance in response to the disruption.
Once a user engages with the initial bait, the attack chain becomes significantly more technical. Victims are directed to a spoofed βMailbox Repair Utilityβ that mimics a legitimate IT tool. There, they are prompted to enter their credentials twice. This deliberate double-entry tactic reinforces legitimacy while ensuring attackers capture accurate login data without typos.
βThis serves two functions: it reinforces the userβs belief that the system is legitimate and performs real-time validation, and it ensures that the attacker captures the password twice, significantly reducing the risk of a typo in the stolen data,β Google Threat Intelligence Group said in a statement.
The phishing page then performs a fake mailbox integrity check, adding to the legitimacy and enabling the extraction of metadata to an attacker-controlled Amazon S3 bucket, while staged files continue downloading onto the userβs machine.
βBy the time the user receives a βConfiguration completed successfullyβ message, the attacker has secured the credentials and potentially established a persistent foothold on the endpoint using these staged files,β the research continued.
Behind the scenes, the attack deploys a staged payload that includes AutoHotkey scripts and a malicious browser extension called SnowBelt.
Disguised under benign names like βSystem Heartbeat,β the extension establishes persistence within the browser environment and acts as a foothold for further compromise. Notably, it can execute in a headless browser instance, meaning users remain unaware of its activity.
The broader malware suite, βSnow,β is modular. SnowBelt handles persistence and command relay, SnowGlaze acts as a tunneling mechanism, and SnowBasin functions as the primary backdoor. SnowGlaze uses WebSocket tunnels and encoding techniques to disguise malicious traffic as normal encrypted web communications, helping it evade detection while enabling command-and-control operations.
SnowBasin, meanwhile, provides full remote access. It allows attackers to execute commands, capture screenshots, manage files, and exfiltrate data. Post-compromise, attackers escalate privileges, move laterally across the network, and ultimately target high-value assets such as Active Directory databases. In observed cases, stolen data was exfiltrated using common tools, highlighting how legitimate utilities are increasingly weaponized in these campaigns.
A New Phase of UC-Focused Social Engineering
This campaign reflects a broader shift in how attackers approach enterprise environments. Rather than relying solely on email phishing, attackers are now leveraging real-time UC tools to create more convincing and interactive attack scenarios.
What makes this campaign stand out is its level of sophistication. The attackers do not just send a message; they simulate a full support interaction. By combining email bombing with a follow-up Teams message, they create a believable narrative that pressures users into quick action. This multi-channel approach significantly increases success rates compared to traditional phishing.
At the same time, the technical execution has evolved. The use of custom malware, stealthy browser-based persistence, and encrypted tunneling shows a clear departure from commodity attack kits. This is not a smash-and-grab operation. It is a methodical intrusion designed to achieve long-term access and deep visibility into enterprise systems.
Importantly, this aligns with a wider trend flagged by both Google and Microsoft: the rise of human-operated, socially engineered attacks targeting collaboration platforms. While groups like Scattered Spider, Lapsus$, and ShinyHunters have demonstrated the effectiveness of these tactics, UNC6692 appears to operate independently, suggesting this approach is becoming a standard playbook rather than a niche technique.
What Enterprises Should Take Away
For enterprise IT and security teams, the key takeaway is that trusted communication channels are increasingly being used as the endpoint for attacks that originate elsewhere. Platforms like Microsoft Teams, once considered lower risk compared to email, are now being actively exploited as initial access vectors.
This shift requires a rethink of both user education and technical controls. Employees need to be trained to verify helpdesk interactions, while organizations should consider stricter policies around external communications and remote access tools, especially in light of guest chat features and the increase in attacks taking over compromised accounts.
As attackers continue to refine social engineering techniques and pair them with custom tooling, unified communications platforms will remain a high-value target. Organizations that adapt their security posture to this reality will be better positioned to stay ahead of increasingly sophisticated threats.
