14JUN

UNC6692 runs SNOW through Microsoft Teams

3 min read

11:51UTC

Mandiant disclosed on 23 April that UNC6692 deploys the SNOW malware ecosystem via Microsoft Teams IT-support impersonation against law firms and BPOs.

← Back to VPN zero-day, no-patch KEV, late Exchange Jump to analysis ↓

TechnologyDeveloping

Key takeaway

A second threat cluster running the BRICKSTORM playbook turns cloud C2 into a class behaviour.

Mandiant published its disclosure on the same Thursday as the sixteen-agency advisory, naming UNC6692 as a newly tracked threat cluster that runs the SNOW malware ecosystem (the modules SNOWBELT, SNOWGLAZE and SNOWBASIN) via Microsoft Teams IT-support impersonation against law firms and Business Process Outsourcers (BPOs) ¹. The actor poses as helpdesk staff inside enterprise Teams chats and manoeuvres targets into running code that drops a browser extension and a Python tunneller. Lateral movement, credential harvesting and exfiltration follow.

UNC6692's command-and-control infrastructure runs on AWS and Heroku, the same cloud-masking template that the BRICKSTORM campaign relied on against parallel target sectors last year . Two distinct threat clusters now share a TTP library, which means defenders cannot treat the BRICKSTORM playbook as one actor's signature. The cloud-service evasion technique is becoming a class behaviour.

The targeting choice carries an operational tell. Law firms and BPOs sit at the discovery and support end of M&A and financial-services workflows, holding pre-public deal documents, due-diligence files and operational data on customer accounts. Microsoft Teams as the entry channel exploits the rise of contractor and third-party access patterns: an external 'IT support' identity inside a Teams tenant carries less friction than an inbound email. For CISOs at affected sectors, the read is that endpoint detection inside the Teams client and identity governance across guest tenants are now both higher-leverage controls than gateway filtering. The conversation that started with the BRICKSTORM intrusion playbook now extends to a second actor running the same cloud-hosting dependency stack.

Deep Analysis

In plain English

UNC6692 sends fake messages inside Microsoft Teams pretending to be from the company's IT helpdesk, asking employees to run a piece of software to fix a problem. Once the employee runs it, the hackers get access to the company's files and accounts. Teams is a work-chat tool designed for collaboration between colleagues and external partners. Most company tenants allow external contacts to send messages without verifying whether those contacts are authorised to claim a support role.

Deep Analysis

Root Causes

Enterprise Microsoft Teams tenants allow external guest users to participate in channels and direct messages with employees. The default identity governance configuration does not require guest users to prove affiliation with an IT or support function before contacting employees. UNC6692 exploits the gap between the platform's intended use, enabling cross-organisational collaboration, and the absence of role-verified identity for guests claiming authoritative IT positions.

The choice of law firms and BPOs as targets reflects the data profile those sectors hold: pre-public M&A documents, privileged legal communications, and bulk customer-service records. Both sectors have high volumes of legitimate external collaboration via Teams, which makes an unknown external IT-support identity less suspicious than it would be in a closed enterprise tenant.

What could happen next?

Consequence
Law firms and BPOs should audit Teams guest-tenant access policies and add identity verification requirements for any external contact attempting to claim an IT or helpdesk role.
Immediate · 0.9
Risk
The shared cloud-C2 template across BRICKSTORM and UNC6692 means that proxy allowlists permitting HTTPS traffic to AWS and Heroku IP ranges cannot distinguish legitimate SaaS traffic from attacker command channels.
Short term · 0.8
Precedent
Mandiant's UNC6692 disclosure sets a precedent for tracking Teams-based social engineering campaigns as a distinct threat cluster category, likely prompting Microsoft to add detection telemetry for guest-tenant impersonation patterns.
Medium term · 0.7

Source Landscape

This story draws on neutral-leaning sources

Primary parallel: In 2016, the Carbanak group used legitimate banking software support channels, specifically the SWIFT operator help-desk communication paths, to impersonate authorised administrators inside victim financial institutions, gaining persistence inside the SWIFT messaging environment at Bangladesh Bank and several European lenders.

The structural parallel with UNC6692 is the use of a trusted enterprise communication channel (SWIFT support paths then, Microsoft Teams IT-support channels now) as the social engineering surface. In both cases, the attacker relies on the victim's own institutional trust in the support channel rather than exploiting a software vulnerability.

Counter-parallel: Lapsus$'s 2022 campaign targeted Microsoft, Nvidia, and Samsung through compromised contractor identity credentials rather than impersonation of IT support inside collaboration tools. Lapsus$ used data-broker access to real employee credentials; UNC6692 uses impersonation of an IT role.

The difference in technique matters for detection: Lapsus$-style attacks are caught by credential alerting and MFA hardening; UNC6692-style attacks require a different control, identity governance on who can claim an IT support role in a guest Teams context.

Consensus view: Citizen Lab's social engineering research team has tracked Microsoft Teams as an emerging intrusion vector since 2023, when British and Canadian public-sector organisations reported IT-support impersonation attacks via guest-tenant permissions.

UNC6692's deployment of SNOW through the same channel confirms what Citizen Lab identified as a structural platform risk: Teams guest access policies in most enterprise tenants were designed for collaboration productivity, not for zero-trust identity verification of external users claiming IT roles.

Counter-view: Secureworks' Counter Threat Unit argues that the BRICKSTORM and UNC6692 cloud command-and-control template (AWS, Heroku) is not evidence of a shared TTP library between distinct actors but is instead a convergent solution to the same engineering problem: cloud-provider egress traffic carries HTTPS to well-known IP ranges that most corporate proxy allowlists pass without inspection.

Two different Teams independently reaching the same cheap, effective solution is the simpler explanation than a shared tradecraft pipeline.

Key tension: Whether law firms and BPOs face an immediate re-architecture requirement for Teams guest-tenant identity governance, or whether UNC6692 targeting is selective enough that most organisations can address it with detective controls rather than structural re-design.

Sources:Google Threat Intelligence Group / Mandiant·Google Threat Intelligence Group / Mandiant

Mentions:Mandiant →Microsoft →AWS →Heroku →Bangladesh →Nvidia →UNC6780 →SNOW →BRICKSTORM →

First Reported In

Update #2 · FIRESTARTER puts Cisco below the patch line

Google Threat Intelligence Group / Mandiant· 30 Apr 2026

Read original →

Causes and effects

Caused by

OFAC turns IP law on Operation Zero

UNC6692 SNOW uses the same AWS/Heroku C2-masking technique as BRICKSTORM, which was disclosed as part of the ID:2551 M-Trends reporting on UNC5221.

Occurred 15 Apr 2026

Read story →

This Event

UNC6692 runs SNOW through Microsoft Teams

The same AWS and Heroku command-and-control template as BRICKSTORM, hitting the same target profile, points to a reusable evasion pattern across distinct threat clusters.

Different Perspectives

Beijing-aligned attribution sceptics

CNCERT has noted that Western KEV ransomware-risk flags on DoS-only flaws such as Serv-U CVE-2026-28318 conflate disruption capability with breach capability, and that CJEU referrals for NIS2 non-transposition create compliance obligations that presuppose software-patchable architectures the Arista case shows are not universal.

Enterprise security buyers

Three successive KEV cycles in which federal deadlines precede, exceed or are refused by vendor patches require buyers to re-weight patch-SLA contractual terms: the KEV deadline is now the planning constraint, not the vendor advisory, and procurement due diligence must cover whether a hardware platform is even patchable in principle.

Check Point

Check Point disclosed CVE-2026-50751 and shipped a hotfix on 8 June, roughly 30 days after exploitation had begun, with a Qilin affiliate already inside at least one victim. Its delayed disclosure on a CVSS 9.3 perimeter bypass leaves customers to absorb a month-long pre-patch exposure window under CISA's three-day federal deadline.

European Commission and ENISA

NIS2 full personal-liability enforcement from 1 June and CJEU referrals against laggard member states represent the sharpest regulatory escalation in EU cyber history, backed by ENISA NIS360 sector-maturity evidence naming water, rail and waste water as the priority enforcement targets. NCAF 2.0 and NIS360 function as audit instruments rather than political signals.

UK NCSC

The NCSC issued the Dutch NCSC's imminent-abuse warning on the Check Point flaw in the same fortnight its sponsoring legislation cleared the Commons, widening incident-reporting duties to cover attacker pre-positioning. The payment-reporting gap left by the CS&R Bill means the NCSC continues to rely on voluntary Early Warning submissions for ransomware economics data.

US Federal CISO community

Federal CISOs face three active compliance obligations without a clean resolution: a three-day Check Point deadline met with a hotfix, a 23 June Arista deadline partially met with ACLs only, and a 16-day Exchange overrun still being fully remediated. BOD 22-01 is operating as an urgency signal but not as a vendor-cooperation mechanism.