Hackers Impersonate Microsoft Teams to Gain Full Enterprise Access Without Exploits

A newly uncovered cyber-espionage campaign has revealed how attackers are bypassing traditional security defenses not through software vulnerabilities, but by exploiting human trust. Hackers group, identified as UNC6692, has orchestrated a highly coordinated, multi-stage intrusion campaign leveraging Microsoft Teams, custom malware, and trusted cloud infrastructure to gain deep access into enterprise environments.

Hackers Impersonate Microsoft Teams to Gain Full Enterprise Access Without Exploits

Researchers from Google Threat Intelligence Group (GTIG) and Mandiant disclosed the operation on April 22, 2026, highlighting a methodical approach that manipulates employees into granting attackers entry, ultimately leading to full domain compromise.

Social Engineering Over Exploits

Unlike conventional attacks that rely on zero-day vulnerabilities or unpatched systems, UNC6692’s strategy centers on social engineering. In late December 2025, the group initiated a large-scale email bombing campaign, overwhelming employees’ inboxes to create confusion and urgency.

Amid this chaos, attackers reached out via Microsoft Teams, posing as IT helpdesk personnel offering assistance. Victims, already under pressure, accepted chat requests from external accounts—unknowingly opening the door to compromise.

Microsoft confirmed in an April 2026 advisory that the attack abuses legitimate Teams collaboration features. Crucially, users had to override multiple security warnings, underscoring that the breach hinged on user behavior rather than technical flaws.

Multi-Stage Infection Chain

Once communication was established, victims were directed to install a supposed “local patch” to fix email issues. This link led to a phishing page mimicking a tool called Mailbox Repair and Sync Utility v2.1.5, hosted on an attacker-controlled AWS S3 bucket.

The attack unfolded in four distinct phases:

• Environment Gating: Victims were forced to use Microsoft Edge via a crafted URL scheme, ensuring compatibility with the attack payload.
• Credential Harvesting: A fake system check prompted login attempts, deliberately rejecting the first two entries to ensure accurate credential capture.
• Distraction Tactics: A progress bar displayed benign system messages while sensitive data was exfiltrated in the background.
• Malware Deployment: An AutoHotkey script installed SNOWBELT, a malicious browser extension disguised as a legitimate system component.

The SNOW Malware Ecosystem

UNC6692’s toolkit, dubbed the SNOW ecosystem, consists of three integrated components:

• SNOWBELT: A browser extension that establishes persistence and communicates with command-and-control (C2) servers using dynamically generated AWS S3 URLs.
• SNOWGLAZE: A Python-based tunneling tool that routes traffic through the victim’s system via a SOCKS proxy, masking malicious activity as legitimate web traffic.
• SNOWBASIN: A local HTTP server that executes commands, captures screenshots, and exfiltrates data.

This modular architecture enables attackers to maintain stealth while expanding control across the network.

Escalation to Full Domain Compromise

After initial access, attackers scanned the internal network and used tools like PsExec to move laterally. They eventually accessed a backup server, where they extracted credentials by dumping LSASS process memory.

Using Pass-the-Hash techniques, UNC6692 authenticated to domain controllers without needing plaintext passwords. They then deployed forensic tools to extract critical data, including:

• Active Directory database (NTDS.dit)
• SAM, SYSTEM, and SECURITY registry hives

These assets—often referred to as the “crown jewels” of Windows environments—were exfiltrated using cloud-based tools, blending seamlessly with normal traffic.

Living Off the Cloud

A defining feature of this campaign is its reliance on trusted cloud platforms such as AWS S3 and Heroku for every stage of the attack, from payload delivery to data exfiltration.

This “living off the cloud” approach allows malicious activity to blend into legitimate, encrypted traffic, rendering traditional defenses like IP blocklists and domain reputation filtering largely ineffective.

Defensive Recommendations

To mitigate such threats, organizations must shift their security posture:

• Monitor browser extensions and headless browser activity
• Track outbound traffic to cloud services
• Restrict or audit Microsoft Teams external communication settings
• Train employees to recognize and question unsolicited IT support interactions

Ultimately, this campaign reinforces a critical reality: the most vulnerable point in enterprise security is often the human element.

Indicators of Compromise (IOCs)

• Phishing URL Pattern:
  https://service-page-[ID]-outlook.s3.us-west-2.amazonaws.com/update.html?email=
• C2 Server:
  wss://sad4w7h913-b4a57f9c36eb[.]herokuapp[.]com:443/ws
• SNOWBELT C2 Pattern:
  https://[a-f0-9]{24}-[0-9]{6,7}-[0-9]{1}.s3.us-east-2.amazonaws[.]com
• VAPID Key:
  BJkWCT45mL0uvV3AssRaq9Gn7iE2N7Lx38ZmWDFCjwhz0zv0QSVhKuZBLTTgAijB12cgzMzqyiJZr5tokRzSJu0
• Masquerading Files:
  RegSrvc.exe, Protected.ahk, SysEvents

As UNC6692 demonstrates, modern cyberattacks increasingly rely on deception over exploitation. In an environment where tools like Microsoft Teams are integral to daily operations, vigilance and user awareness are as critical as any technical defense.