May 3, 2026, 11:47 am | Read time: 3 minutes
Since December 2025, a hacker group named UNC6692 has been targeting Microsoft Teams users. The goal of the attacks is to access sensitive data and take over entire IT structures.
The Google Threat Intelligence Group (GTIG) warns about this in a blog post. Notably, the method does not exploit traditional software vulnerabilities. Instead, the attack relies entirely on the cooperation of the victims. From a technical standpoint, systems initially remain unchanged, with the actual entry occurring through psychological pressure.
Email Bombing as a Distraction
According to GTIG, the attack begins with a so-called email bombing. The victim’s inbox is flooded with a large number of spam messages in a short period. These emails do not contain malware. Their purpose is to create stress and simulate a supposed security problem. The flood of messages is meant to capture attention and create confusion. During this phase, the attackers wait for the right moment to proceed to the next step.
After the email flood, the attackers contact the victim via Microsoft Teams, posing as technical support staff. The tone is professional, and the approach seems credible. They offer a quick solution in the form of a supposed security patch. The accompanying link actually leads to an Amazon server, which further builds trust. This circumstance lowers the threshold for the next click.
Malware Disguised as Repair Tool
The file on the server is harmful. Upon opening, an Edge browser window appears, resembling legitimate repair software. In the background, the browser extension SnowBelt is installed. This malware collects login credentials and authentication tokens. Additionally, the program prompts users to enter their login information to resolve the supposed security issue. At this point, control is no longer in the hands of the victims.
With the obtained login data, the attackers take over the user account and gain access to the PC. Technical vulnerabilities in the operating system or software are irrelevant. The entire attack chain exploits human trust alone. According to the report, this vulnerability is sufficient to completely bypass security mechanisms.
Hackers Exploit Zero-Day Vulnerability in Microsoft Office for Attacks
Fake Captchas Can Install Malware
Additional Tools Secure Permanent Access
After the initial takeover, the attackers install two more programs. SnowGlaze establishes a WebSocket tunnel that bypasses common firewalls and enables remote access. SnowBasin acts as a permanent backdoor, allowing commands to be executed and additional programs to be installed without the victim’s knowledge. The compromised computer serves as a starting point for further actions.
UNC6692 does not target individual devices. The Snow attack is designed to analyze and exploit entire networks. After the initial infection, the perpetrators scout out additional systems and spread laterally. The focus is not on sabotage but on the theft of data and access information. According to the report, these are extracted from compromised networks via the LimeWire file-sharing service and later reused.
Also of interest: If users don’t do this, Samsung will lock the smartphone
Implications for Users
Private users are not the main target group of UNC6692, according to assessments. Without access to corporate structures, private computers are hardly attractive to the attackers. Nevertheless, the case shows that technical protection alone is not enough. Against this form of attack, no additional software helps, only a critical approach to unexpected messages and support requests.