- UNC6692 pairs deliberate inbox flooding with Microsoft Teams impersonation to deliver the SNOW malware suite — with the full attack chain completing in as little as 12 minutes from first contact.
- As of July 9, 2026, Mandiant data shows 77% of attacks between March 1 and April 1, 2026 targeted senior employees — up sharply from 59% in January–February 2026, indicating accelerating executive targeting.
- SNOW malware deploys three custom components (SNOWBELT, SNOWGLAZE, SNOWBASIN) with a built-in gatekeeper script engineered to bypass automated sandbox detection.
- The blast radius is controllable: one Microsoft Teams admin configuration change eliminates the primary delivery vector without requiring new tools or additional budget.
The Threat: When the Help Desk Becomes the Attacker
It's a Tuesday morning. Your email inbox has absorbed roughly 1,500 messages in the past hour — a coordinated flood of newsletters, unsubscribe confirmations, and random calendar noise engineered specifically to bury your attention. Then a Microsoft Teams notification appears: someone labeled "IT Support" says there's suspicious activity on your account and needs you to install a patch immediately.
That scenario is the documented playbook of UNC6692, a threat actor whose campaign was first identified in December 2025 and publicly disclosed by Google Mandiant on April 23, 2026. The original reporting was aggregated by Google News and further analyzed by cyberpress.org. The multi-source picture — drawn from Mandiant's technical report, BleepingComputer's payload breakdown, The Register's timing analysis, SecurityWeek's email-volume figures, and Microsoft Security Blog's Q1 2026 threat data — reveals a campaign that is simultaneously more targeted and more automated than conventional helpdesk impersonation efforts.
SecurityWeek reported that UNC6692's email bombing phase delivers over 1,500 emails per hour to each target, functioning as a distraction while the threat actor simultaneously initiates Teams contact with the same individual. The Register noted a specific timing detail that signals automation: chat messages were initiated just 29 seconds apart across victims, a cadence that points to scripted deployment rather than manual outreach. Once the target engages, the attacker walks them through what appears to be a legitimate patch installation — but what executes is the SNOW malware suite, comprising three custom components:
- SNOWBELT — a JavaScript browser extension backdoor that, according to BleepingComputer, runs on headless Microsoft Edge instances invisible to the victim.
- SNOWGLAZE — a Python-based WebSocket tunneler (a tool that opens covert communication channels between the compromised machine and attacker infrastructure).
- SNOWBASIN — a Python remote access backdoor granting persistent attacker control over the endpoint.
Mandiant researchers JP Glab, Tufail Ahmed, Josh Kelley, and Muhammad Umair documented that "the attacker used a gatekeeper script designed to ensure the payload is delivered only to intended targets while evading automated security sandboxes." Standard automated defenses are routed around, not broken through. From first Teams message to malware execution: as little as 12 minutes.
Blast Radius — Who Should Actually Be Worried
This campaign is not spray-and-pray. As of July 9, 2026, according to Mandiant's public disclosure, 77% of observed attacks between March 1 and April 1, 2026 targeted senior-level personnel — executives, managers, and directors — up from 59% in January and February 2026. The trajectory matters more than either number in isolation: this threat actor actively refined its targeting toward higher-value accounts over a 60-day window.
Chart: UNC6692 senior-level employee targeting rate, January–February 2026 vs. March–April 2026. Source: Google Mandiant, April 23, 2026.
Jason Soroko, Senior Fellow at Sectigo, identified the core exploit mechanism: "Bypassing traditional email filters to directly message senior staff allows the malicious actors to exploit the presumed legitimacy of the application." Teams carries an institutional trust signal that corporate email lost years ago. Executives who reflexively scrutinize suspicious messages may respond to a Teams chat from "IT Support" without applying the same skepticism.
The surrounding threat landscape explains why this vector is being refined so quickly. As of July 9, 2026, KnowBe4 recorded a 41% increase in Microsoft Teams-based phishing attacks between October 2025 and March 2026. Microsoft Security Blog's Q1 2026 threat intelligence data shows 8.3 billion email-based phishing threats detected across January through March alone — and collaboration tool phishing alerts had grown to represent 42% of all phishing alerts in early 2026, up from 30% in the preceding four-month period. As SaaS Cybersecurity's analysis of the B2B training gap notes, human error remains the accelerant that converts a sophisticated delivery mechanism into a confirmed breach.
The Defense Stack That Changes the Math
This attack succeeds specifically because it bypasses email security controls and reaches employees through a channel where guard is lower. The defense stack needs to close that gap at three layers simultaneously.
Technology: Microsoft patched CVE-2026-21535, a critical Teams vulnerability with a CVSS score of 8.2 that allowed unauthenticated access without user interaction, server-side in early 2026. But SNOW malware does not need an unpatched flaw — it needs a trusting employee. The technology controls that move the needle are: restricting or blocking external Teams chat requests from unverified domains in your Microsoft 365 tenant; deploying endpoint detection and response (EDR) tools capable of flagging anomalous AutoHotkey script installations and unexpected Python process launches; and enforcing browser extension management policies that block unapproved extensions — directly relevant given SNOWBELT's delivery mechanism.
Process: Establish an out-of-band verification protocol for any IT support request arriving via Teams. If a message claiming to be from your helpdesk requests script execution or a software install, confirmation goes through your ticketing system or an independently confirmed phone number — never a link or contact the requester provides. This single process change collapses the social engineering chain at its weakest point.
People: Security awareness training needs to explicitly cover collaboration platform impersonation. The assumption that Teams messages are inherently safe because they appear to originate internally is precisely what UNC6692 is monetizing. The email-bombing-then-Teams-contact pattern is now a teachable indicator of compromise: if an inbox floods with junk and an urgent IT request arrives via Teams within the same window, that combination is an escalation signal, not a coincidence. (IBM's 2025 Cost of a Data Breach Report found that 16% of breaches involved threat actors using AI tools, used primarily for phishing content generation (37% of those cases) and deepfake impersonation (35%) — a preview of where social engineering campaigns like this one are heading as AI tooling becomes more accessible to threat actors.)
Harden This Today
One control, deployable today, that meaningfully narrows the blast radius:
Audit and restrict your Microsoft Teams external access settings. In the Microsoft Teams admin center, navigate to Users > External access. Unless your organization has a documented operational requirement for federated external chat, disable the ability for outside Teams accounts to initiate contact with your staff. If external access is required for specific partner workflows, configure an explicit allow-list of verified partner domains only — not open federation.
UNC6692 depends on external accounts with plausible display names reaching employees inside your corporate tenant. Closing or restricting this channel removes the primary delivery vector regardless of how the downstream payload evolves. As of July 9, 2026, this configuration is available to all Microsoft 365 commercial tenants at no additional licensing cost and takes under 10 minutes to review and adjust.
In my analysis, the most alarming signal in this campaign is not the malware sophistication — it's the automation. A 29-second interval between targeted chat initiations indicates UNC6692 is scaling the social engineering phase, not just the technical payload. Organizations that treat this as a lower-priority item are misreading how quickly this threat actor moves once the Teams channel is open. Ship this control today.
Frequently Asked Questions
How does SNOW malware infect computers through Microsoft Teams?
UNC6692 first floods the target's inbox with high-volume spam (email bombing, reported by SecurityWeek at over 1,500 emails per hour), then contacts the same person via Microsoft Teams posing as internal IT helpdesk staff. If the target follows the attacker's instructions, they execute an AutoHotkey script that installs three custom components: SNOWBELT (a browser extension backdoor running on invisible headless Edge instances), SNOWGLAZE (a Python WebSocket tunneler), and SNOWBASIN (a Python remote access backdoor). The full sequence from first Teams message to malware execution can complete in as little as 12 minutes. A built-in gatekeeper script specifically filters out automated sandbox environments to reduce detection.
What is email bombing and how is it used as a cyber attack tactic?
Email bombing is the deliberate, high-volume flooding of a target's inbox with junk messages — newsletters, subscription confirmations, random alerts — within a short period. SecurityWeek reported that UNC6692's email bombing phase generates over 1,500 emails per hour per target. The tactic serves two functions: it overwhelms the target's ability to identify legitimate messages (including real security alerts), and it creates the urgency and confusion that makes the simultaneous Teams "IT helpdesk" impersonation more convincing. The email flood is a distraction mechanism, not itself the payload delivery channel.
How to protect against Microsoft Teams phishing and impersonation attacks?
Three controls address the primary threat surface: First, restrict or disable external Teams access in the Microsoft 365 admin center under Users > External access — this prevents unverified outside accounts from reaching your staff directly. Second, establish an out-of-band verification step requiring any IT support request via Teams to be confirmed through your ticketing system or a pre-known phone number before any installation or script execution proceeds. Third, update security awareness training to specifically address collaboration platform impersonation and train employees to recognize the email-flooding-plus-urgent-Teams-contact pattern as a red flag. Microsoft also patched CVE-2026-21535 (CVSS 8.2) server-side in early 2026, so verifying your tenant configuration is current is part of the baseline hygiene.
What is the UNC6692 threat group and who are they targeting?
UNC6692 is a threat actor tracked by Google Mandiant, with campaign activity first detected in December 2025 and publicly disclosed on April 23, 2026. The group combines email bombing, Microsoft Teams impersonation of IT helpdesk personnel, and custom malware tooling (the SNOW suite) to compromise endpoints. As of July 9, 2026, Mandiant data shows the campaign has increasingly concentrated on senior-level personnel: executives, managers, and directors represented 77% of observed attack targets in March–April 2026, up from 59% in January–February 2026. The threat actor uses a gatekeeper script to vet targets, suggesting deliberate selection rather than opportunistic mass targeting. Their specific industry focus had not been fully disclosed in publicly available reporting as of July 9, 2026.
Disclaimer: This article is editorial commentary for informational purposes only and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for your organization's specific security needs. Research based on publicly available sources current as of July 9, 2026.