A newly identified threat cluster known as UNC6692 has been observed conducting sophisticated cyberattacks by impersonating IT helpdesk staff through Microsoft Teams, highlighting a growing trend of exploiting workplace communication tools for initial access. The campaign relies heavily on social engineering tactics to trick employees into trusting malicious interactions.
The attackers initiate contact by sending Microsoft Teams messages from external accounts, posing as internal IT support personnel. Victims are convinced to accept chat requests and follow instructions, often under the pretext of resolving technical issues such as spam or system errors. This method allows attackers to bypass traditional email security controls and directly engage employees in real time.
A key tactic used in the campaign involves overwhelming targets with spam emails to create urgency and confusion. Once the victim seeks help, the attacker—posing as IT staff—provides a phishing link or instructs them to install a supposed fix. In many cases, this leads to the download of malicious files, including AutoHotkey scripts hosted on attacker-controlled infrastructure.
The malware deployed in these attacks, referred to as SNOW, enables threat actors to gain persistent access to compromised systems. From there, they can carry out a range of malicious activities, including credential theft, lateral movement within networks, data exfiltration, and potential ransomware deployment. This makes the campaign particularly dangerous for enterprise environments.
Research indicates that the attacks are increasingly targeting senior-level employees, who often have broader access to sensitive systems and data. Between March 1 and April 1, 2026, around 77% of observed incidents were directed at executives and high-level staff, showing a deliberate focus on high-value targets.
The campaign underscores a broader shift in cyberattack strategies, where threat actors are leveraging trusted collaboration platforms like Microsoft Teams to bypass traditional defenses. As organizations adopt more digital communication tools, attackers are adapting their tactics to exploit human trust and real-time interactions, making security awareness and verification processes more critical than ever.
