A newly uncovered cyber campaign shows how attackers are increasingly relying on human trust rather than software flaws to infiltrate enterprise systems. The threat group UNC6692 has orchestrated a highly advanced, multi-stage attack by exploiting everyday collaboration tools like Microsoft Teams, instead of targeting technical vulnerabilities.

According to researchers from Google’s Threat Intelligence Group and Mandiant, who disclosed the findings on April 22, 2026, the attackers carefully manipulated employees into granting access. Rather than deploying zero-day exploits, they leveraged psychological tactics and trusted platforms to achieve full domain compromise.

To begin with, in late December 2025, UNC6692 initiated a large-scale email bombing campaign. This tactic flooded employee inboxes, creating confusion and urgency. As a result, distracted employees became more susceptible to further manipulation. Subsequently, the attackers approached victims through Microsoft Teams, posing as IT helpdesk staff offering assistance with the email issue.

Importantly, this attack did not rely on any software flaw. As noted in a recent advisory by Microsoft, the attackers simply abused legitimate external collaboration features. Victims unknowingly accepted chat invitations from external accounts, which ultimately opened the door to the attack.

Infection Chain: From Chat to Full Network Takeover

Once communication was established, the attacker directed victims to install a so-called “local patch.” This link led to a phishing page disguised as a “Mailbox Repair and Sync Utility v2.1.5,” hosted on cloud infrastructure such as Amazon Web Services S3.

The attack unfolded in multiple stages. Initially, a script ensured victims used a specific browser environment. Then, a fake authentication process captured credentials using a clever “double-entry” trick. Meanwhile, a progress bar displayed routine system messages to distract users while data was secretly exfiltrated.

At the same time, malware components were deployed. These included SNOWBELT, a malicious browser extension disguised as legitimate software. The broader SNOW malware ecosystem—comprising SNOWBELT, SNOWGLAZE, and SNOWBASIN—enabled persistence, data obfuscation, and lateral movement across networks.

After gaining access, attackers scanned internal systems, escalated privileges, and eventually reached domain controllers. They extracted critical data, including Active Directory files, and exfiltrated it using tools routed through platforms like Heroku and other trusted services.

Cloud Abuse and Defense Challenges

A defining feature of this campaign is its reliance on legitimate cloud services for every stage of the attack. By blending malicious activity with normal encrypted traffic, attackers effectively bypass traditional security controls like IP blocklists and domain reputation filters.

Therefore, security teams must expand their monitoring strategies. In addition to endpoint protection, organizations should closely track browser extensions, cloud traffic, and headless browser activity. Furthermore, restricting or carefully managing external access in Microsoft Teams can significantly reduce risk.

Ultimately, UNC6692 highlights a critical reality: the weakest link in cybersecurity is often human trust. Even the most secure systems can be compromised if employees unknowingly engage with malicious actors posing as trusted personnel.

Recommended Cyber Technology News:

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com