Hackers Are Now Using Microsoft Teams to Breach Company Networks Without Using Any Exploits

A newly identified threat group, UNC6692, has been caught running a sophisticated cyberattack campaign that uses Microsoft Teams impersonation, fake IT support messages, custom malware, and cloud services to break into enterprise networks.

The campaign was disclosed by Google Threat Intelligence Group and Mandiant on April 22, 2026. According to researchers, the attackers did not exploit any software vulnerability. Instead, they manipulated employees into trusting normal workplace tools.

The attack started in late December 2025 with email bombing. Victims’ inboxes were flooded with emails to create confusion and urgency.

Once employees were distracted, the attackers contacted them on Microsoft Teams while pretending to be IT helpdesk staff. They claimed they could help stop the email spam.

Microsoft said the campaign abused legitimate Teams external collaboration features. Victims were convinced to accept chat requests from outside their organization and ignore visible security warnings.

After gaining trust, the attackers sent a link to install a fake “local patch.” The link opened a phishing page hosted on an attacker-controlled AWS S3 bucket. The page pretended to be a “Mailbox Repair and Sync Utility v2.1.5.”

The fake page checked the victim’s environment, forced the use of Microsoft Edge, and displayed a fake health check. It rejected the first two password attempts on purpose to make sure the attackers captured the correct credentials.

A fake progress bar then showed messages such as “Parsing configuration data” and “Checking mailbox integrity” while data was stolen in the background.

The attackers also downloaded and executed an AutoHotkey binary and script from AWS S3. This installed SNOWBELT, a malicious Chromium browser extension disguised as “MS Heartbeat” or “System Heartbeat.”

UNC6692 used a malware framework called SNOW. It included SNOWBELT for initial access, SNOWGLAZE for tunneling traffic through the victim’s system, and SNOWBASIN for running commands, taking screenshots, and stealing files.

SNOWBELT stayed active through a Windows Startup shortcut, two scheduled tasks, and a hidden Microsoft Edge process. SNOWGLAZE made malicious traffic look like normal encrypted web traffic by using Base64-encoded JSON over WebSockets.

After gaining access, the attackers scanned the network for open ports 135, 445, and 3389. They used PsExec through the SNOWGLAZE tunnel, found local administrator accounts, and opened an RDP session to a backup server.

On the backup server, they used Windows Task Manager to dump LSASS memory and steal password hashes. The dump was exfiltrated through LimeWire.

The attackers then used Pass-the-Hash to access domain controllers without needing plaintext passwords. They downloaded FTK Imager and extracted NTDS.dit, SAM, SYSTEM, and SECURITY registry hives.

These files were also exfiltrated through LimeWire. EDR telemetry showed the attackers taking screenshots of FTK Imager and Edge windows, confirming the operation was completed.

A major feature of this campaign is the use of trusted cloud platforms such as AWS S3 and Heroku for payload delivery, credential theft, command-and-control, and data staging.

This allows malicious traffic to blend into normal encrypted cloud traffic, making domain filters and IP blocklists less effective.

Organizations are advised to monitor browser extensions, unusual outbound cloud traffic, and headless browser processes. They should also restrict or closely monitor Microsoft Teams external access to stop unknown tenants from directly messaging employees.

The UNC6692 campaign shows that attackers do not always need a software flaw. Sometimes, one trusted Teams message is enough.