Hackers Use Microsoft Teams to Impersonate IT Staff in New Malware Campaign

A threat group is turning one of the most trusted workplace tools into a weapon. Google-owned Mandiant’s researchers have identified a previously undocumented hacker cluster, tracked as UNC6692, that impersonates IT helpdesk staff on Microsoft Teams to plant a custom malware suite directly onto victim systems.

The attack follows a deliberate, two-step setup. UNC6692 first buries a target’s inbox under a flood of spam emails, manufacturing urgency and confusion. Then the group swoops in on Microsoft Teams, posing as IT support staff offering to clean up the mess. One message, one click, and the attackers own the system.

Spam Bombs and Fake IT Messages Give Hackers the Opening

UNC6692 did not invent this method. Former affiliates of the now-defunct Black Basta ransomware group built this combination of inbox flooding and Teams-based impersonation first. Black Basta shut down early last year, but the tactic kept running.

ReliaQuest confirmed attackers are still using this playbook, with senior executives and high-level staff now most at risk. The numbers back this up:

• Senior employees accounted for 77% of incidents from March 1 to April 1, 2026, up from 59% earlier that year.
• Attackers sent follow-up chat messages as quickly as 29 seconds apart in some cases.
• ReliaQuest researchers John Dilgen and Alexa Feminella noted that a threat group’s most effective tactics can outlast the group itself.

UNC6692 takes the attack a step further. Instead of installing remote tools, the group sends a phishing link in Teams chats, disguised as a “Mailbox Repair and Sync Utility v2.1.5” patch to fix spam issues. The victim clicks the link, and the system silently pulls an AutoHotkey script from an attacker-controlled Amazon S3 bucket.

While attackers exploit Microsoft Teams for phishing, Mozilla has criticized Microsoft for forcing Copilot AI on Windows users without proper consent, showing that Microsoft’s relationship with its users is strained both by security vulnerabilities in its platforms and by the company’s aggressive feature rollouts that prioritize corporate goals over user choice.

A Modular Malware Suite Quietly Takes Over the Infected System

That script kicks off the real damage. It runs initial reconnaissance on the system, then installs SNOWBELT (a malicious Chromium-based browser extension) directly into Microsoft Edge. Mandiant researchers JP Glab, Tufail Ahmed, Josh Kelley, and Muhammad Umair explained that the attacker “deployed a gatekeeper script built to ensure payloads reach only intended targets, while remaining invisible to automated security sandboxes.”

SNOWBELT is the entry point into a full modular toolkit that the researchers call the SNOW malware ecosystem. Each component carries a specific role:

• SNOWBELT operates as a JavaScript-based backdoor, receiving attacker commands and routing them for execution.
• SNOWGLAZE (a Python-based tunneler) builds a secure WebSocket tunnel between the victim’s internal network and the attacker’s command-and-control server.
• SNOWBASIN functions as a persistent backdoor, enabling remote command execution, screenshot capture, and live file transfers.

The phishing page also serves as a fake “Health Check” portal. Victims unknowingly enter their mailbox credentials that are sent directly to an attacker-controlled Amazon S3 bucket.

Attackers Sweep Across the Network and Drain Sensitive Data

UNC6692 wastes no time after gaining access. The group scans the network for open ports, uses SNOWGLAZE tunneling to access internal systems, and extracts LSASS memory via Windows Task Manager to escalate privileges.

The group uses Pass-the-Hash attacks to access domain controllers, extracts Active Directory data with FTK Imager, and exfiltrates it using the LimeWire file transfer tool.

Mandiant reports that UNC6692 has evolved its tactics by combining social engineering, custom malware, and rogue browser extensions, while abusing trusted enterprise and cloud platforms to blend into normal traffic and evade detection.

A separate Cato Networks campaign follows the same template, using voice phishing over Teams to trick victims into running an obfuscated PowerShell script that installs a WebSocket trojan called PhantomBackdoor.

Cato’s researchers say defenders should treat collaboration tools as attack surfaces, enforcing helpdesk verification, restricting external Teams access, and strengthening PowerShell security across systems.

Microsoft has confirmed Teams is being abused for helpdesk impersonation, where attackers use cross-tenant features to gain access, deploy encrypted malware, and steal data using tools like Rclone.