29MAY

UNC6692 runs SNOW through Microsoft Teams

3 min read

14:17UTC

Mandiant disclosed on 23 April that UNC6692 deploys the SNOW malware ecosystem via Microsoft Teams IT-support impersonation against law firms and BPOs.

← Back to GitHub's own code cloned via VS Code add-on Jump to analysis ↓

TechnologyDeveloping

Key takeaway

A second threat cluster running the BRICKSTORM playbook turns cloud C2 into a class behaviour.

Mandiant published its disclosure on the same Thursday as the sixteen-agency advisory, naming UNC6692 as a newly tracked threat cluster that runs the SNOW malware ecosystem (the modules SNOWBELT, SNOWGLAZE and SNOWBASIN) via Microsoft Teams IT-support impersonation against law firms and Business Process Outsourcers (BPOs) ¹. The actor poses as helpdesk staff inside enterprise Teams chats and manoeuvres targets into running code that drops a browser extension and a Python tunneller. Lateral movement, credential harvesting and exfiltration follow.

UNC6692's command-and-control infrastructure runs on AWS and Heroku, the same cloud-masking template that the BRICKSTORM campaign relied on against parallel target sectors last year . Two distinct threat clusters now share a TTP library, which means defenders cannot treat the BRICKSTORM playbook as one actor's signature. The cloud-service evasion technique is becoming a class behaviour.

The targeting choice carries an operational tell. Law firms and BPOs sit at the discovery and support end of M&A and financial-services workflows, holding pre-public deal documents, due-diligence files and operational data on customer accounts. Microsoft Teams as the entry channel exploits the rise of contractor and third-party access patterns: an external 'IT support' identity inside a Teams tenant carries less friction than an inbound email. For CISOs at affected sectors, the read is that endpoint detection inside the Teams client and identity governance across guest tenants are now both higher-leverage controls than gateway filtering. The conversation that started with the BRICKSTORM intrusion playbook now extends to a second actor running the same cloud-hosting dependency stack.

Deep Analysis

In plain English

UNC6692 sends fake messages inside Microsoft Teams pretending to be from the company's IT helpdesk, asking employees to run a piece of software to fix a problem. Once the employee runs it, the hackers get access to the company's files and accounts. Teams is a work-chat tool designed for collaboration between colleagues and external partners. Most company tenants allow external contacts to send messages without verifying whether those contacts are authorised to claim a support role.

Deep Analysis

Root Causes

Enterprise Microsoft Teams tenants allow external guest users to participate in channels and direct messages with employees. The default identity governance configuration does not require guest users to prove affiliation with an IT or support function before contacting employees. UNC6692 exploits the gap between the platform's intended use, enabling cross-organisational collaboration, and the absence of role-verified identity for guests claiming authoritative IT positions.

The choice of law firms and BPOs as targets reflects the data profile those sectors hold: pre-public M&A documents, privileged legal communications, and bulk customer-service records. Both sectors have high volumes of legitimate external collaboration via Teams, which makes an unknown external IT-support identity less suspicious than it would be in a closed enterprise tenant.

What could happen next?

Consequence
Law firms and BPOs should audit Teams guest-tenant access policies and add identity verification requirements for any external contact attempting to claim an IT or helpdesk role.
Immediate · 0.9
Risk
The shared cloud-C2 template across BRICKSTORM and UNC6692 means that proxy allowlists permitting HTTPS traffic to AWS and Heroku IP ranges cannot distinguish legitimate SaaS traffic from attacker command channels.
Short term · 0.8
Precedent
Mandiant's UNC6692 disclosure sets a precedent for tracking Teams-based social engineering campaigns as a distinct threat cluster category, likely prompting Microsoft to add detection telemetry for guest-tenant impersonation patterns.
Medium term · 0.7

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: In 2016, the Carbanak group used legitimate banking software support channels, specifically the SWIFT operator help-desk communication paths, to impersonate authorised administrators inside victim financial institutions, gaining persistence inside the SWIFT messaging environment at Bangladesh Bank and several European lenders.

The structural parallel with UNC6692 is the use of a trusted enterprise communication channel (SWIFT support paths then, Microsoft Teams IT-support channels now) as the social engineering surface. In both cases, the attacker relies on the victim's own institutional trust in the support channel rather than exploiting a software vulnerability.

Counter-parallel: Lapsus$'s 2022 campaign targeted Microsoft, Nvidia, and Samsung through compromised contractor identity credentials rather than impersonation of IT support inside collaboration tools. Lapsus$ used data-broker access to real employee credentials; UNC6692 uses impersonation of an IT role.

The difference in technique matters for detection: Lapsus$-style attacks are caught by credential alerting and MFA hardening; UNC6692-style attacks require a different control, identity governance on who can claim an IT support role in a guest Teams context.

Consensus view: Citizen Lab's social engineering research team has tracked Microsoft Teams as an emerging intrusion vector since 2023, when British and Canadian public-sector organisations reported IT-support impersonation attacks via guest-tenant permissions.

UNC6692's deployment of SNOW through the same channel confirms what Citizen Lab identified as a structural platform risk: Teams guest access policies in most enterprise tenants were designed for collaboration productivity, not for zero-trust identity verification of external users claiming IT roles.

Counter-view: Secureworks' Counter Threat Unit argues that the BRICKSTORM and UNC6692 cloud command-and-control template (AWS, Heroku) is not evidence of a shared TTP library between distinct actors but is instead a convergent solution to the same engineering problem: cloud-provider egress traffic carries HTTPS to well-known IP ranges that most corporate proxy allowlists pass without inspection.

Two different Teams independently reaching the same cheap, effective solution is the simpler explanation than a shared tradecraft pipeline.

Key tension: Whether law firms and BPOs face an immediate re-architecture requirement for Teams guest-tenant identity governance, or whether UNC6692 targeting is selective enough that most organisations can address it with detective controls rather than structural re-design.

Sources:Google Threat Intelligence Group / Mandiant·Google Threat Intelligence Group / Mandiant

Mentions:Mandiant →Microsoft →AWS →Heroku →Bangladesh →Nvidia →UNC6780 →SNOW →BRICKSTORM →

First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

Google Threat Intelligence Group / Mandiant· 30 Apr 2026

Read original →

Causes and effects

Caused by

OFAC turns IP law on Operation Zero

UNC6692 SNOW uses the same AWS/Heroku C2-masking technique as BRICKSTORM, which was disclosed as part of the ID:2551 M-Trends reporting on UNC5221.

Occurred 15 Apr 2026

Read story →

This Event

UNC6692 runs SNOW through Microsoft Teams

The same AWS and Heroku command-and-control template as BRICKSTORM, hitting the same target profile, points to a reusable evasion pattern across distinct threat clusters.

Different Perspectives

Google Threat Intelligence Group

GTIG's attribution of the GitHub breach extends UNC6780's documented arc from SAP npm through Cisco AI Defense to GitHub's own estate; its 36-hour LiteLLM exploitation set the speed benchmark CISA AA26-148A is designed to address. GTIG's published tracking gives defenders the actor profile needed to assess their own developer-toolchain exposure.

Enterprise security buyers / CISO community

For enterprise security leaders, two KEV AI-orchestration entries in three weeks (LiteLLM 8 May, Langflow 21 May) convert shadow AI tooling from a governance risk to a confirmed attack surface requiring immediate software asset inventory. The 65 per cent gap in enterprise AI tool inventories documented by Wiz Research is now a liability rather than a compliance footnote.

DSIT / UK Government

DSIT framed the £14.7 billion sector figure and the Cyber Resilience Pledge as a paired signal: commercial strength alongside supply-chain accountability, with £90 million targeting the NHS supplier exposure this briefing's threat events directly illustrate. The voluntary Pledge's enforceability gap, prior to the Cyber Security and Resilience Bill reaching Royal Assent, is the question its launch does not answer.

GitHub / Microsoft

GitHub confirmed that no customer repositories or user data were affected by the Nx Console breach, but acknowledged approximately 3,800 internal repositories were cloned and referred to CISA Alert AA26-148A's allow-listing guidance. The incident puts Microsoft in the position of operating a marketplace whose publisher-verification gap is now a documented attack vector in a federal advisory.

Tsinghua University Institute for International Strategic Studies

Beijing-aligned commentary rejects US attribution of PRC-nexus clusters (UNC2814, APT45, UAT-8616) as politically motivated framing, characterising the April sixteen-agency joint advisory as coordinated Western pressure rather than independent technical assessment.

Cisco

Cisco has not confirmed the UNC6780 breach scope beyond the named AI Defense and AI Assistant projects; GitHub confirmed an investigation. CVE-2026-20182 is the sixth Cisco SD-WAN KEV entry in 2026, reaching that milestone the same week UNC6780's source-code visibility into the portfolio became public.