UNC6692 Exploits Default Microsoft Teams Settings to Target Senior Staff with SNOW Malware Suite

UNC6692 exploits default Microsoft Teams settings to launch sophisticated social engineering attacks. This threat actor targets senior staff, deploying the multi-component SNOW malware suite for network infiltration and persistent access.

A new threat cluster, UNC6692, is exploiting default Microsoft Teams settings to target senior-level employees with a multi-component malware suite named SNOW. The group leverages the platform's default configuration, which permits external messages from any domain, creating a direct pathway for initial contact. This activity has been observed since late December 2025.

The attack begins with an email bombing campaign, overwhelming inboxes and creating distraction. Subsequently, an external account contacts the victim via Microsoft Teams, impersonating IT support. The threat actor directs individuals to a fraudulent "Mailbox Repair Utility" website designed to harvest credentials. This site often rejects initial password attempts, a tactic to convince users of its legitimacy and capture correct login details.

Following credential theft, UNC6692 deploys its SNOW malware suite. This includes SnowBelt, a JavaScript-based browser extension that functions as a backdoor; SnowGlaze, a Python-based WebSocket tunneler for secure, authenticated network access; and SnowBasin, a persistent backdoor enabling remote command execution and data exfiltration.

UNC6692 has increasingly focused on high-value targets. Data from March to April 2026 shows 77% of observed incidents targeted senior-level employees, a significant increase from 59% earlier in the year. Post-compromise activities involve internal network reconnaissance, extracting sensitive data like LSASS memory (processes storing Windows account credentials), and employing pass-the-hash techniques to compromise domain controllers.

This campaign highlights how threat actors weaponize common communication platforms and their default configurations. Targeting senior staff with administrative access elevates the potential impact of a breach. The use of legitimate cloud services, such as AWS S3 for command and control, further helps these attacks evade traditional security filters.

What Defenders Should Do

Organizations must immediately review and modify default Microsoft Teams settings to restrict external messaging to only approved domains. Implement mandatory, ongoing security awareness training that specifically covers social engineering tactics delivered via collaboration platforms. Deploy robust Endpoint Detection and Response (EDR) solutions to detect suspicious browser extensions, unauthorized PowerShell activity, and attempts to access LSASS memory. Enforce multi-factor authentication (MFA) across all accounts, especially for privileged users.

Defenders should remain vigilant for evolving social engineering tactics that exploit widely-used communication tools, as threat actors will continue adapting their initial access methods.