Microsoft Teams, the corporate communications platform trusted by millions of employees to coordinate meetings, solve technical issues, and exchange internal updates, has become the latest weapon in a remarkably sophisticated cybercrime campaign that security researchers say is spreading across global enterprises with alarming precision.
A newly tracked threat group known as UNC6692 is impersonating internal IT helpdesk employees through Microsoft Teams chats, manipulating overwhelmed staff into installing malicious files that silently open the gates to deep network compromise. The campaign does not rely on a software vulnerability, a zero-day exploit, or a ransomware payload dropped through brute force. Instead, it exploits something far more dangerous: human trust.
According to the Google Threat Intelligence Group report, the attackers begin with a coordinated email bombing campaign, flooding the victim’s inbox with a torrent of spam messages to create panic, confusion, and urgency. Once the employee is distracted by the flood of unwanted emails, the attacker appears through Microsoft Teams, posing as an IT support employee offering immediate assistance.
The victim is asked to accept a Teams chat invitation from an external account, often believing it to be legitimate internal support. That single decision becomes the opening move in a far larger intrusion chain and reflects the growing scale of phishing attacks across enterprise communication systems.
From there, the attacker sends a phishing link disguised as a solution to the spam problem. The landing page masquerades as a “Mailbox Repair and Sync Utility v2.1.5” and claims to offer a local patch to stop the inbox attack. In reality, clicking the link triggers the download of a renamed AutoHotkey binary and script from an attacker-controlled AWS S3 bucket, immediately initiating the first stage of malware execution, a pattern increasingly seen in modern ransomware attacks.
What follows is the deployment of the custom “SNOW” malware suite, a modular toolkit designed for stealth, persistence, credential theft, and full-scale domain compromise.
Researchers identified several components inside the malware family, including SNOWBELT, a malicious Chromium browser extension used for persistence and browser-based surveillance; SNOWGLAZE, a Python-based tunneling utility that establishes encrypted WebSocket command-and-control channels; and SNOWBASIN, a local HTTP backdoor that facilitates data staging and exfiltration. Together, the malware enables attackers to move laterally across enterprise environments, dump credentials from LSASS memory, access Active Directory databases, and exfiltrate sensitive files using trusted cloud infrastructure—an increasingly familiar theme in enterprise cybercrime investigations.
Security researchers say the brilliance of the campaign lies in its psychological architecture.
Employees have been trained for years to distrust suspicious emails, but Microsoft Teams occupies a different trust zone. It feels internal, familiar, and sanctioned by the organization itself. That perception creates a dangerous blind spot and deepens concerns over Microsoft security failures across enterprise collaboration platforms.
As detailed in this enterprise phishing research, employees conditioned to reject phishing emails are often far more willing to trust someone reaching out through Teams, especially after their inbox is already under siege.
The targeting is equally strategic.
ReliaQuest researchers found that between March 1 and April 1, 2026, 77 percent of observed incidents targeted senior-level employees, a sharp increase from 59 percent during the first two months of the year. Executives, finance leaders, and senior administrators represent high-value access points for attackers seeking rapid lateral movement and privileged credentials. In several cases, Teams chats were initiated just 29 seconds apart, highlighting the precision of this cyber threat intelligence analysis and the growing risk of a major data breach.
This is not opportunistic cybercrime. It is enterprise-grade social engineering executed with operational patience.
The campaign also reflects a broader transformation in cyberattacks, where adversaries increasingly abuse legitimate enterprise tools instead of relying solely on malicious binaries that trigger traditional antivirus defenses. By hosting malicious components on trusted platforms like AWS S3 and leveraging Microsoft Teams’ external collaboration features, UNC6692 blends seamlessly into normal corporate traffic, making detection substantially harder for security teams.
Microsoft itself has emphasized that the campaign exploits legitimate collaboration workflows rather than platform vulnerabilities. The danger lies in users overriding security prompts and accepting communication from untrusted external accounts under the false assumption that the request is part of routine internal support.
That distinction matters because it means patching software alone will not stop the threat.
The defense must be cultural as much as technical. Organizations must aggressively restrict external Teams communication where possible, implement stronger identity verification for internal IT support interactions, monitor suspicious browser extension installations, and train employees to treat unsolicited Teams chats with the same skepticism reserved for phishing emails, following broader MITRE ATT&CK phishing techniques guidance used across the cybersecurity industry.
For the latest cybersecurity coverage, breach alerts, and enterprise threat intelligence, follow our ongoing reporting on ransomware attacks, Microsoft security failures, and global cybercrime investigations.
UNC6692 is not simply exploiting Microsoft Teams. It is exploiting the modern workplace itself—its habits, assumptions, and dependence on instant trust. In 2026, the most dangerous breach may no longer begin with a malicious attachment.
It may begin with a friendly message saying, “Hi, this is IT. Can I help you?”
