7JUN

UNC6692 runs SNOW through Microsoft Teams

3 min read

10:08UTC

Mandiant disclosed on 23 April that UNC6692 deploys the SNOW malware ecosystem via Microsoft Teams IT-support impersonation against law firms and BPOs.

← Back to The 2024 patch that is breaking now Jump to analysis ↓

TechnologyDeveloping

Key takeaway

A second threat cluster running the BRICKSTORM playbook turns cloud C2 into a class behaviour.

Mandiant published its disclosure on the same Thursday as the sixteen-agency advisory, naming UNC6692 as a newly tracked threat cluster that runs the SNOW malware ecosystem (the modules SNOWBELT, SNOWGLAZE and SNOWBASIN) via Microsoft Teams IT-support impersonation against law firms and Business Process Outsourcers (BPOs) ¹. The actor poses as helpdesk staff inside enterprise Teams chats and manoeuvres targets into running code that drops a browser extension and a Python tunneller. Lateral movement, credential harvesting and exfiltration follow.

UNC6692's command-and-control infrastructure runs on AWS and Heroku, the same cloud-masking template that the BRICKSTORM campaign relied on against parallel target sectors last year . Two distinct threat clusters now share a TTP library, which means defenders cannot treat the BRICKSTORM playbook as one actor's signature. The cloud-service evasion technique is becoming a class behaviour.

The targeting choice carries an operational tell. Law firms and BPOs sit at the discovery and support end of M&A and financial-services workflows, holding pre-public deal documents, due-diligence files and operational data on customer accounts. Microsoft Teams as the entry channel exploits the rise of contractor and third-party access patterns: an external 'IT support' identity inside a Teams tenant carries less friction than an inbound email. For CISOs at affected sectors, the read is that endpoint detection inside the Teams client and identity governance across guest tenants are now both higher-leverage controls than gateway filtering. The conversation that started with the BRICKSTORM intrusion playbook now extends to a second actor running the same cloud-hosting dependency stack.

Deep Analysis

In plain English

UNC6692 sends fake messages inside Microsoft Teams pretending to be from the company's IT helpdesk, asking employees to run a piece of software to fix a problem. Once the employee runs it, the hackers get access to the company's files and accounts. Teams is a work-chat tool designed for collaboration between colleagues and external partners. Most company tenants allow external contacts to send messages without verifying whether those contacts are authorised to claim a support role.

Deep Analysis

Root Causes

Enterprise Microsoft Teams tenants allow external guest users to participate in channels and direct messages with employees. The default identity governance configuration does not require guest users to prove affiliation with an IT or support function before contacting employees. UNC6692 exploits the gap between the platform's intended use, enabling cross-organisational collaboration, and the absence of role-verified identity for guests claiming authoritative IT positions.

The choice of law firms and BPOs as targets reflects the data profile those sectors hold: pre-public M&A documents, privileged legal communications, and bulk customer-service records. Both sectors have high volumes of legitimate external collaboration via Teams, which makes an unknown external IT-support identity less suspicious than it would be in a closed enterprise tenant.

What could happen next?

Consequence
Law firms and BPOs should audit Teams guest-tenant access policies and add identity verification requirements for any external contact attempting to claim an IT or helpdesk role.
Immediate · 0.9
Risk
The shared cloud-C2 template across BRICKSTORM and UNC6692 means that proxy allowlists permitting HTTPS traffic to AWS and Heroku IP ranges cannot distinguish legitimate SaaS traffic from attacker command channels.
Short term · 0.8
Precedent
Mandiant's UNC6692 disclosure sets a precedent for tracking Teams-based social engineering campaigns as a distinct threat cluster category, likely prompting Microsoft to add detection telemetry for guest-tenant impersonation patterns.
Medium term · 0.7

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: In 2016, the Carbanak group used legitimate banking software support channels, specifically the SWIFT operator help-desk communication paths, to impersonate authorised administrators inside victim financial institutions, gaining persistence inside the SWIFT messaging environment at Bangladesh Bank and several European lenders.

The structural parallel with UNC6692 is the use of a trusted enterprise communication channel (SWIFT support paths then, Microsoft Teams IT-support channels now) as the social engineering surface. In both cases, the attacker relies on the victim's own institutional trust in the support channel rather than exploiting a software vulnerability.

Counter-parallel: Lapsus$'s 2022 campaign targeted Microsoft, Nvidia, and Samsung through compromised contractor identity credentials rather than impersonation of IT support inside collaboration tools. Lapsus$ used data-broker access to real employee credentials; UNC6692 uses impersonation of an IT role.

The difference in technique matters for detection: Lapsus$-style attacks are caught by credential alerting and MFA hardening; UNC6692-style attacks require a different control, identity governance on who can claim an IT support role in a guest Teams context.

Consensus view: Citizen Lab's social engineering research team has tracked Microsoft Teams as an emerging intrusion vector since 2023, when British and Canadian public-sector organisations reported IT-support impersonation attacks via guest-tenant permissions.

UNC6692's deployment of SNOW through the same channel confirms what Citizen Lab identified as a structural platform risk: Teams guest access policies in most enterprise tenants were designed for collaboration productivity, not for zero-trust identity verification of external users claiming IT roles.

Counter-view: Secureworks' Counter Threat Unit argues that the BRICKSTORM and UNC6692 cloud command-and-control template (AWS, Heroku) is not evidence of a shared TTP library between distinct actors but is instead a convergent solution to the same engineering problem: cloud-provider egress traffic carries HTTPS to well-known IP ranges that most corporate proxy allowlists pass without inspection.

Two different Teams independently reaching the same cheap, effective solution is the simpler explanation than a shared tradecraft pipeline.

Key tension: Whether law firms and BPOs face an immediate re-architecture requirement for Teams guest-tenant identity governance, or whether UNC6692 targeting is selective enough that most organisations can address it with detective controls rather than structural re-design.

Sources:Google Threat Intelligence Group / Mandiant·Google Threat Intelligence Group / Mandiant

Mentions:Mandiant →Microsoft →AWS →Heroku →Bangladesh →Nvidia →UNC6780 →SNOW →BRICKSTORM →

First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

Google Threat Intelligence Group / Mandiant· 30 Apr 2026

Read original →

Causes and effects

Caused by

OFAC turns IP law on Operation Zero

UNC6692 SNOW uses the same AWS/Heroku C2-masking technique as BRICKSTORM, which was disclosed as part of the ID:2551 M-Trends reporting on UNC5221.

Occurred 15 Apr 2026

Read story →

This Event

UNC6692 runs SNOW through Microsoft Teams

The same AWS and Heroku command-and-control template as BRICKSTORM, hitting the same target profile, points to a reusable evasion pattern across distinct threat clusters.

Different Perspectives

Australian Cyber Security Centre (ACSC)

Australia's 18 of 95 May ransomware victims, nearly 19 per cent of global disclosed attacks against 0.3 per cent of global GDP, reflects end-of-life Windows Server concentration in healthcare, under-resourced national incident-response capacity, and time-zone isolation that slows vendor-assisted containment during peak attack windows.

Europol / international law enforcement

Operation Saffron's 27-country coordination set a new geographic breadth record for criminal-infrastructure seizure. The absence of an arrest alongside the server seizures limits durable impact: VPNLab.net and DoubleVPN precedents show gangs reconstitute on alternative hosts within two to four weeks.

UK Parliament (Cyber Security and Resilience Bill)

The Bill reaches Commons Report Stage on 10 June with penalties up to 4 per cent of global turnover. Qilin's NHS Synnovis attack in June 2024 and INC_RANSOM's Stuga Machinery posting on 5 June give the legislation a domestic evidence base connecting KEV-class exposure directly to UK CNI and supply-chain targeting.

German BSI / EU enterprise operator perspective

The 17-month lag between Oracle's January 2024 WebLogic patch and active exploitation confirms that CVSS 7.5 keeps a flaw below emergency-patch thresholds in most programmes, even when T3/IIOP exploitation is a documented recurring chain. BSI's T3/IIOP disablement guidance offers a network-layer mitigation that survives Oracle's quarterly patch cycle without requiring unscheduled downtime.

ENISA / EU cybersecurity regulator

NIS360's risk-zone designations for water and rail, following NCAF 2.0 in April, give member-state authorities a documented enforcement basis under NIS2. Fine ceilings at EUR 10 million cover essential entities; sub-threshold municipal water operators fall outside that scope, so designation without sector-level funding creates a perverse incentive to defer rather than remediate.

US federal CISO (FCEB agency)

Four staggered June deadlines covered WebLogic middleware, Linux containers, Android device fleets and Magento storefronts in a single fortnight, forcing triage that exposes whichever stack ranks lowest. CISA's proposed $707 million budget cut alongside this enforcement acceleration creates a direct credibility gap: the mandate grows while the capacity to sustain it shrinks.