30APR

UNC6692 runs SNOW through Microsoft Teams

3 min read

08:16UTC

Mandiant disclosed on 23 April that UNC6692 deploys the SNOW malware ecosystem via Microsoft Teams IT-support impersonation against law firms and BPOs.

← Back to FIRESTARTER puts Cisco below the patch line Jump to analysis ↓

TechnologyDeveloping

Key takeaway

A second threat cluster running the BRICKSTORM playbook turns cloud C2 into a class behaviour.

Mandiant published its disclosure on the same Thursday as the sixteen-agency advisory, naming UNC6692 as a newly tracked threat cluster that runs the SNOW malware ecosystem (the modules SNOWBELT, SNOWGLAZE and SNOWBASIN) via Microsoft Teams IT-support impersonation against law firms and Business Process Outsourcers (BPOs) ¹. The actor poses as helpdesk staff inside enterprise Teams chats and manoeuvres targets into running code that drops a browser extension and a Python tunneller. Lateral movement, credential harvesting and exfiltration follow.

UNC6692's command-and-control infrastructure runs on AWS and Heroku, the same cloud-masking template that the BRICKSTORM campaign relied on against parallel target sectors last year . Two distinct threat clusters now share a TTP library, which means defenders cannot treat the BRICKSTORM playbook as one actor's signature. The cloud-service evasion technique is becoming a class behaviour.

The targeting choice carries an operational tell. Law firms and BPOs sit at the discovery and support end of M&A and financial-services workflows, holding pre-public deal documents, due-diligence files and operational data on customer accounts. Microsoft Teams as the entry channel exploits the rise of contractor and third-party access patterns: an external 'IT support' identity inside a Teams tenant carries less friction than an inbound email. For CISOs at affected sectors, the read is that endpoint detection inside the Teams client and identity governance across guest tenants are now both higher-leverage controls than gateway filtering. The conversation that started with the BRICKSTORM intrusion playbook now extends to a second actor running the same cloud-hosting dependency stack.

Deep Analysis

In plain English

UNC6692 sends fake messages inside Microsoft Teams pretending to be from the company's IT helpdesk, asking employees to run a piece of software to fix a problem. Once the employee runs it, the hackers get access to the company's files and accounts. Teams is a work-chat tool designed for collaboration between colleagues and external partners. Most company tenants allow external contacts to send messages without verifying whether those contacts are authorised to claim a support role.

Deep Analysis

Root Causes

Enterprise Microsoft Teams tenants allow external guest users to participate in channels and direct messages with employees. The default identity governance configuration does not require guest users to prove affiliation with an IT or support function before contacting employees. UNC6692 exploits the gap between the platform's intended use, enabling cross-organisational collaboration, and the absence of role-verified identity for guests claiming authoritative IT positions.

The choice of law firms and BPOs as targets reflects the data profile those sectors hold: pre-public M&A documents, privileged legal communications, and bulk customer-service records. Both sectors have high volumes of legitimate external collaboration via Teams, which makes an unknown external IT-support identity less suspicious than it would be in a closed enterprise tenant.

What could happen next?

Consequence
Law firms and BPOs should audit Teams guest-tenant access policies and add identity verification requirements for any external contact attempting to claim an IT or helpdesk role.
Immediate · 0.9
Risk
The shared cloud-C2 template across BRICKSTORM and UNC6692 means that proxy allowlists permitting HTTPS traffic to AWS and Heroku IP ranges cannot distinguish legitimate SaaS traffic from attacker command channels.
Short term · 0.8
Precedent
Mandiant's UNC6692 disclosure sets a precedent for tracking Teams-based social engineering campaigns as a distinct threat cluster category, likely prompting Microsoft to add detection telemetry for guest-tenant impersonation patterns.
Medium term · 0.7

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: In 2016, the Carbanak group used legitimate banking software support channels, specifically the SWIFT operator help-desk communication paths, to impersonate authorised administrators inside victim financial institutions, gaining persistence inside the SWIFT messaging environment at Bangladesh Bank and several European lenders.

The structural parallel with UNC6692 is the use of a trusted enterprise communication channel (SWIFT support paths then, Microsoft Teams IT-support channels now) as the social engineering surface. In both cases, the attacker relies on the victim's own institutional trust in the support channel rather than exploiting a software vulnerability.

Counter-parallel: Lapsus$'s 2022 campaign targeted Microsoft, Nvidia, and Samsung through compromised contractor identity credentials rather than impersonation of IT support inside collaboration tools. Lapsus$ used data-broker access to real employee credentials; UNC6692 uses impersonation of an IT role.

The difference in technique matters for detection: Lapsus$-style attacks are caught by credential alerting and MFA hardening; UNC6692-style attacks require a different control, identity governance on who can claim an IT support role in a guest Teams context.

Consensus view: Citizen Lab's social engineering research team has tracked Microsoft Teams as an emerging intrusion vector since 2023, when British and Canadian public-sector organisations reported IT-support impersonation attacks via guest-tenant permissions.

UNC6692's deployment of SNOW through the same channel confirms what Citizen Lab identified as a structural platform risk: Teams guest access policies in most enterprise tenants were designed for collaboration productivity, not for zero-trust identity verification of external users claiming IT roles.

Counter-view: Secureworks' Counter Threat Unit argues that the BRICKSTORM and UNC6692 cloud command-and-control template (AWS, Heroku) is not evidence of a shared TTP library between distinct actors but is instead a convergent solution to the same engineering problem: cloud-provider egress traffic carries HTTPS to well-known IP ranges that most corporate proxy allowlists pass without inspection.

Two different Teams independently reaching the same cheap, effective solution is the simpler explanation than a shared tradecraft pipeline.

Key tension: Whether law firms and BPOs face an immediate re-architecture requirement for Teams guest-tenant identity governance, or whether UNC6692 targeting is selective enough that most organisations can address it with detective controls rather than structural re-design.

Sources:Google Threat Intelligence Group / Mandiant

Mentions:Mandiant →Microsoft →AWS →Heroku →Bangladesh →Nvidia →UNC6692 →SNOW →BRICKSTORM →

First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

Google Threat Intelligence Group / Mandiant· 30 Apr 2026

Read original →

Causes and effects

Caused by

OFAC turns IP law on Operation Zero

UNC6692 SNOW uses the same AWS/Heroku C2-masking technique as BRICKSTORM, which was disclosed as part of the ID:2551 M-Trends reporting on UNC5221.

Occurred 15 Apr 2026

Read story →

This Event

UNC6692 runs SNOW through Microsoft Teams

The same AWS and Heroku command-and-control template as BRICKSTORM, hitting the same target profile, points to a reusable evasion pattern across distinct threat clusters.

Different Perspectives

Norwegian Security and Service Organisation

NSSO was a prior victim of Ivanti EPMM zero-days and now faces CVE-2026-6973 in the same product line. Ivanti's position that on-premises EPMM is the only affected tier provides limited reassurance to a government body that has already been compromised twice via the same vendor's MDM infrastructure.

ENISA and EU CNA Ecosystem

ENISA onboarded four new CVE Numbering Authorities under ENISA Root on 6 May, expanding EU-sovereign vulnerability disclosure infrastructure in the same week three critical CVEs entered the CISA KEV catalogue. Greater CNA coverage inside the EU reduces dependence on US-anchored MITRE for European-sourced vulnerability identifiers.

German Federal Office for Information Security (BSI)

BSI rated CVE-2026-41940 in cPanel 'very high', reflecting Germany's exposure across shared-hosting infrastructure for Mittelstand businesses. The 65-day zero-day window and the amplification effect of cPanel's multi-tenancy model mean the BSI rating applies to thousands of German SME websites hosted on affected servers.

Republic of Korea National Intelligence Service

South Korea's NIS tracks UNC1069's tooling evolution; the CSIS paper argues the ROK's intelligence on DPRK cyber operations should feed joint US-ROK situational awareness rather than bilateral channels that move too slowly for real-time supply-chain response.

Democratic People's Republic of Korea

UNC1069's Axios operation scales North Korea's supply-chain access from niche Python packages to the most downloaded HTTP client in the JavaScript ecosystem. WAVESHAPER.V2 provides persistent access to development environments where cryptocurrency wallets and API keys are stored, serving the sanctions-evasion funding logic behind earlier DPRK toolchain operations.

WatchTowr Labs

WatchTowr Labs disclosed CVE-2026-41940 after the 28 April patch shipped, providing the 65-day exploitation timeline from KnownHost telemetry. The disclosure is textbook; the open question is why WebPros did not catch the cpsrvd CRLF class flaw before external researchers found it under active exploitation.