A newly uncovered cyber campaign is exposing how easily trusted workplace tools can be turned into entry points for large-scale attacks. A threat group identified as UNC6692 is actively targeting organizations by exploiting Microsoft Teams, impersonating IT helpdesk staff to deceive employees and gain access to corporate networks.

The attack begins with a clever distraction. Victims are bombarded with a surge of spam emails, creating confusion and urgency. While employees are trying to make sense of the situation, the attacker steps in through Microsoft Teams using an external account, posing as internal IT support. The timing and context make the message appear legitimate, increasing the likelihood that the victim will trust the interaction.

Under the guise of resolving the issue, the attacker shares a link to what appears to be a “Mailbox Repair Utility.” However, this is a carefully crafted phishing page that pushes users to open it in Microsoft Edge and enter their credentials. The page is designed to reject the first login attempt, ensuring that accurate credentials are captured and silently transmitted to attacker-controlled infrastructure hosted on Amazon Web Services.

While the victim is kept engaged with a fake progress bar, malicious files are delivered in the background. The infection starts with an AutoHotkey script that quietly establishes persistence on the system. From there, a modular malware framework known as the SNOW ecosystem is deployed, giving attackers extensive control over the compromised device.

This toolkit enables persistent access, encrypted communication, and remote command execution. Once inside the network, attackers move laterally, scanning systems and identifying valuable assets such as backup servers. They extract sensitive credentials from memory and use advanced techniques like Pass-the-Hash attacks to escalate privileges and access critical systems.

To deepen the breach, attackers even rely on legitimate tools such as FTK Imager to copy sensitive data like the Active Directory database. The stolen data is then exfiltrated using widely accessible platforms, blending malicious activity with normal traffic patterns to avoid detection.

This campaign reflects a growing shift toward “living off the cloud,” where attackers exploit trusted platforms rather than relying on traditional malware infrastructure. Because tools like Microsoft Teams and AWS are deeply embedded in daily business operations, their misuse often goes unnoticed by standard security defenses.

The incident serves as a stark reminder that cybersecurity is no longer just about blocking suspicious files or links. Human trust, communication platforms, and cloud services are now central to the threat landscape. Organizations must strengthen their defenses by monitoring unusual collaboration activity, limiting external access, and adopting more advanced detection strategies to stay ahead of evolving attacks.

Recommended Cyber Technology News :

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com