Threat Actor UNC6692 Uses Email Bombing and Teams Chats for Sophisticated Social Engineering Attacks

Executive Summary

A newly discovered threat actor, tracked by Mandiant as UNC6692, is pioneering a highly effective social engineering attack that weaponizes Microsoft Teams. The campaign begins with a clever distraction: the attacker initiates an 'email bomb,' flooding the target's inbox with thousands of spam messages. Amid this confusion, UNC6692 sends a Teams chat request from an external account, posing as an IT help desk technician offering assistance. This ruse is used to guide the victim to a credential phishing site. Upon capturing credentials, the attack chain deploys a custom malware suite known as the SNOW ecosystem. This modular malware provides the attackers with a persistent backdoor, data exfiltration capabilities, and tools for lateral movement, ultimately leading to the compromise of domain controllers.

Threat Overview

The attack, observed since late 2025, demonstrates a deep understanding of corporate workflows and user psychology. It subverts the trust employees place in both their IT department and internal collaboration tools like Teams.

Attack Chain:

1. Distraction: The target is subjected to an email bombing campaign (T1499.003 - Endpoint Denial of Service: Application Exhaustion Flood), creating a sense of urgency and a plausible reason for IT to reach out.
2. Impersonation & Lure: The attacker, posing as IT support, contacts the victim via a Teams chat invitation (T1566.002 - Phishing: Spearphishing Link). This is a novel vector that bypasses traditional email security gateways.
3. Phishing: The victim is directed to a phishing page disguised as a 'Mailbox Repair Utility' to enter their credentials. The page is designed to appear legitimate by rejecting initial login attempts.
4. Initial Execution: After 'successful' login, a script downloads and executes an AutoHotkey binary, which acts as a loader for the main malware payload (T1204.002 - User Execution: Malicious File).

Technical Analysis

The SNOW malware ecosystem is a custom-built, modular toolkit:

• SNOWBELT: The core component is a malicious JavaScript-based browser extension for Chromium browsers. It functions as the primary backdoor, enabling the attackers to monitor browsing activity and inject malicious scripts. Persistence is achieved via a scheduled task that loads the extension in a headless Microsoft Edge process (T1176 - Browser Extensions).
• SNOWGLAZE: A Python-based tunneler used for command-and-control (C2) communications. It likely creates an encrypted tunnel to the attacker's infrastructure, allowing them to relay commands and exfiltrate data stealthily (T1572 - Protocol Tunneling).
• SNOWBASIN: A persistent backdoor that runs as a local HTTP server. It can receive commands from the C2 to execute shell commands, capture screenshots, and harvest data from the compromised host.

Post-compromise, UNC6692 has been observed performing credential dumping from the LSASS process (T1003.001 - OS Credential Dumping: LSASS Memory) and moving laterally to domain controllers.

Impact Assessment

This campaign is highly dangerous due to its sophisticated blend of social engineering and custom malware. By targeting senior-level employees, UNC6692 aims to gain access to the most sensitive corporate data and privileged systems. A successful attack can lead to a full domain compromise, widespread data breach, and potential deployment of ransomware. The use of Microsoft Teams as an initial contact vector is particularly alarming, as many organizations have not yet developed robust security policies and detection mechanisms for this type of threat.

IOCs — Directly from Articles

No specific technical indicators of compromise were mentioned in the source articles.

Cyber Observables — Hunting Hints

Security teams should hunt for the following patterns:

Detection & Response

• Monitor Teams Activity: Configure SIEM and SOAR platforms to ingest and analyze Microsoft Teams audit logs. Create alerts for users accepting chat requests from external tenants, especially if the communication is followed by suspicious endpoint activity.
• Browser Extension Auditing: Use EDR tools or scripts to inventory all installed browser extensions across the enterprise. Compare the inventory against a list of approved extensions and investigate any anomalies. D3FEND's System File Analysis (D3-SFA) can be applied to browser extension directories.
• Endpoint Behavior Analysis: EDR rules should be in place to detect the SNOW persistence mechanism: a scheduled task launching a headless browser process. Also, monitor for LSASS memory access from non-standard processes.

Mitigation

• Restrict Teams Communication: Where possible, configure Microsoft Teams policies to block or warn users about chat requests from external tenants. If external communication is required, limit it to specific, trusted domains.
• User Training: Educate users on this specific TTP. Teach them to be suspicious of any unsolicited contact from 'IT support' via chat, especially from external accounts. All verification should be done through established, out-of-band channels.
• Application Control: Implement application whitelisting to prevent the execution of unauthorized software like AutoHotkey. This is a powerful mitigation that aligns with D3FEND's Executable Allowlisting (D3-EAL).
• Credential Guard: On Windows 10/11 Enterprise, enable Credential Guard. This uses virtualization-based security to isolate the LSASS process, making it significantly harder for attackers to dump credentials from memory.