IT helpdesk impersonation campaign uses Teams to gain initial access

Threat summary

On April 23, Google Threat Intelligence Group (GTIG) reported on a new threat activity cluster, tracked as UNC6692, actively impersonating IT helpdesk staff over Microsoft Teams to gain access to corporate environments.

The campaign relies on coordinated social engineering rather than exploitation of software vulnerabilities, targeting employees directly through trusted enterprise collaboration tools.

Mandiant’s reporting describes a multi-stage attack that begins with an email-bombing campaign designed to overwhelm a single user’s inbox. Shortly after the spam activity begins, the victim receives a Microsoft Teams chat invitation from an external account impersonating internal IT support. The message references email disruption and offers assistance, increasing the likelihood of engagement.

This pattern has been observed in multiple incidents and reflects a technique previously used by former Black Basta ransomware affiliates, indicating reuse of established playbooks rather than a novel tactic.

Victims are directed to click a link shared via Teams that claims to install a local “patch” to fix the spam issue. The link downloads an AutoHotkey script from an attacker-controlled Amazon Web Services Simple Storage Service bucket. That script performs reconnaissance and installs SNOWBELT, a malicious Chromium-based browser extension, by launching Microsoft Edge in headless mode with command-line arguments that bypass normal extension installation checks.

This activity does not rely on exploiting flaws in Microsoft Teams or Microsoft Edge. Instead, it bypasses traditional security controls by using legitimate user actions and trusted tooling.

The initial payload is delivered after a user manually clicks a link and executes a file, which reduces the effectiveness of perimeter-based defenses. The use of a signed browser and native scripting also lowers the likelihood of immediate detection, particularly in environments without behavior-based endpoint monitoring.

Because the browser extension is loaded using a command-line switch rather than installed through official extension stores, standard administrative controls that restrict extension installation may not apply, allowing persistence through otherwise sanctioned software.

Analysis

UNC6692 exploits human trust in enterprise collaboration platforms and the common practice of allowing external Microsoft Teams messages. The activity demonstrates that threat actors continue to favor speed and access over technical novelty, relying on repeatable social engineering techniques that scale across industries and tenant sizes.

The objective is initial access. Once established, that access can support follow‑on activity such as credential theft, lateral movement, ransomware deployment, or extortion, depending on the environment. Compromised credentials or remote access sessions can then be reused to reach managed environments, support tooling, or downstream customer networks.

Detection is further complicated because the initial interaction occurs outside traditional email security controls and often appears operationally legitimate to end users.

Organizations can reduce exposure by limiting Microsoft Teams external chat permissions to known and approved tenants and monitoring for unsolicited helpdesk‑related outreach from external accounts. Additional visibility can be gained by alerting on abnormal browser execution behavior, including command‑line abuse used to load extensions during post‑click activity.

Further risk reduction comes from reinforcing clear operational guidance that IT support workflows do not involve ad hoc chat‑based remediation or user‑installed “patch” utilities, particularly in response to spam or account issues. Where available, endpoint telemetry that detects scripting tools and unusual browser execution paths adds coverage against this intrusion pattern.

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up