Skip to content
You can now search across every topic, entity and event.What's new
Cybersecurity: Threats and Defences
30APR

UNC6692 runs SNOW through Microsoft Teams

3 min read
08:16UTC

Mandiant disclosed on 23 April that UNC6692 deploys the SNOW malware ecosystem via Microsoft Teams IT-support impersonation against law firms and BPOs.

TechnologyDeveloping
Key takeaway

A second threat cluster running the BRICKSTORM playbook turns cloud C2 into a class behaviour.

Mandiant published its disclosure on the same Thursday as the sixteen-agency advisory, naming UNC6692 as a newly tracked threat cluster that runs the SNOW malware ecosystem (the modules SNOWBELT, SNOWGLAZE and SNOWBASIN) via Microsoft Teams IT-support impersonation against law firms and Business Process Outsourcers (BPOs) 1. The actor poses as helpdesk staff inside enterprise Teams chats and manoeuvres targets into running code that drops a browser extension and a Python tunneller. Lateral movement, credential harvesting and exfiltration follow.

UNC6692's command-and-control infrastructure runs on AWS and Heroku, the same cloud-masking template that the BRICKSTORM campaign relied on against parallel target sectors last year . Two distinct threat clusters now share a TTP library, which means defenders cannot treat the BRICKSTORM playbook as one actor's signature. The cloud-service evasion technique is becoming a class behaviour.

The targeting choice carries an operational tell. Law firms and BPOs sit at the discovery and support end of M&A and financial-services workflows, holding pre-public deal documents, due-diligence files and operational data on customer accounts. Microsoft Teams as the entry channel exploits the rise of contractor and third-party access patterns: an external 'IT support' identity inside a Teams tenant carries less friction than an inbound email. For CISOs at affected sectors, the read is that endpoint detection inside the Teams client and identity governance across guest tenants are now both higher-leverage controls than gateway filtering. The conversation that started with the BRICKSTORM intrusion playbook now extends to a second actor running the same cloud-hosting dependency stack.

Deep Analysis

In plain English

UNC6692 sends fake messages inside Microsoft Teams pretending to be from the company's IT helpdesk, asking employees to run a piece of software to fix a problem. Once the employee runs it, the hackers get access to the company's files and accounts. Teams is a work-chat tool designed for collaboration between colleagues and external partners. Most company tenants allow external contacts to send messages without verifying whether those contacts are authorised to claim a support role.

Deep Analysis
Root Causes

Enterprise Microsoft Teams tenants allow external guest users to participate in channels and direct messages with employees. The default identity governance configuration does not require guest users to prove affiliation with an IT or support function before contacting employees. UNC6692 exploits the gap between the platform's intended use, enabling cross-organisational collaboration, and the absence of role-verified identity for guests claiming authoritative IT positions.

The choice of law firms and BPOs as targets reflects the data profile those sectors hold: pre-public M&A documents, privileged legal communications, and bulk customer-service records. Both sectors have high volumes of legitimate external collaboration via Teams, which makes an unknown external IT-support identity less suspicious than it would be in a closed enterprise tenant.

What could happen next?
  • Consequence

    Law firms and BPOs should audit Teams guest-tenant access policies and add identity verification requirements for any external contact attempting to claim an IT or helpdesk role.

    Immediate · 0.9
  • Risk

    The shared cloud-C2 template across BRICKSTORM and UNC6692 means that proxy allowlists permitting HTTPS traffic to AWS and Heroku IP ranges cannot distinguish legitimate SaaS traffic from attacker command channels.

    Short term · 0.8
  • Precedent

    Mandiant's UNC6692 disclosure sets a precedent for tracking Teams-based social engineering campaigns as a distinct threat cluster category, likely prompting Microsoft to add detection telemetry for guest-tenant impersonation patterns.

    Medium term · 0.7
First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

Google Threat Intelligence Group / Mandiant· 30 Apr 2026
Read original
Causes and effects
This Event
UNC6692 runs SNOW through Microsoft Teams
The same AWS and Heroku command-and-control template as BRICKSTORM, hitting the same target profile, points to a reusable evasion pattern across distinct threat clusters.
Different Perspectives
UK managed service providers and data centre operators
UK managed service providers and data centre operators
Newly brought into critical-infrastructure scope by the Cyber Security and Resilience Bill's Lords second reading, facing fines up to £17m or 4% of global turnover and a new near-miss reporting duty they did not previously carry. The sector moves from best-practice guidance to statutory exposure within this Parliamentary session.
Threat-intelligence industry
Threat-intelligence industry
SOCRadar's confirmation that one operator sits on two ransomware crews' negotiation panels, following Bitdefender's affiliate-overlap flag six weeks earlier, gives the sector its second independent data point that brand-based tracking undercounts shared access. The firms doing this work are shifting language from named-group attribution toward access-broker mapping.
FSB Centre 16
FSB Centre 16
Named by NCSC as running an SNMP-hijacking campaign against communications, energy, healthcare, defence and financial-services operators, harvesting device data and reconfiguring routers through a decades-old plaintext-authentication protocol. The campaign runs in parallel to, not in place of, the GRU's separate DNS-hijacking operation named in April.
CISA
CISA
CISA's Known Exploited Vulnerabilities catalogue added seven CVEs between 5 and 14 July, none from a headline security vendor, capped by the 18-year-old Cisco IOS bug CVE-2008-4128. BOD 26-04's risk-tiered listing rules make that slowdown as much a policy artefact as a threat-intensity read.
Nidec
Nidec
Nidec faces a $2m demand from Blackfield after the crew breached a server at its supplier Chaun Choung Technology rather than Nidec's own network. The attack reached Nidec's data without touching its own perimeter at all, the same supply-chain route World Leaks used against Tata Electronics.
Tata Electronics
Tata Electronics
Tata Electronics restricted remote access to its purchase-order systems and hired a forensic consultant after World Leaks posted 630GB of its files, including purported Apple and Tesla design material, to a leak site. The exposed value sits on its customers' balance sheets, not its own, which is what makes it hard to price.