Hackers Impersonate IT Staff to Take Over Organizations via Microsoft Teams
Tricking employees into accepting chat requests leads to full system breaches
A newly identified hacker group known as UNC6692 is causing disruption across large organizations with a highly deceptive strategy. Instead of exploiting technical vulnerabilities, the attackers rely on employee trust in workplace tools like Microsoft Teams. Reports from Google Threat Intelligence Group and Mandiant reveal that the attack focuses entirely on social engineering, using massive spam email campaigns to create confusion and urgency before stepping in as “helpful IT support” through chat.
The attack begins with phishing messages sent directly through Microsoft Teams. Hackers impersonate IT support staff and offer assistance in resolving inbox flooding issues caused by spam emails. What makes this particularly concerning is that victims often accept chat requests from external accounts, even after receiving multiple security warnings from the system. Once communication begins, the attacker sends a link claiming to provide a tool to fix the email problem, which is actually the entry point for malware installation.
When victims click the link, they are redirected to a convincing fake webpage hosted on AWS S3. The site promotes a fake tool named Mailbox Repair and Sync Utility v2.1.5. At this stage, victims are instructed to use Microsoft Edge for “best performance,” further guiding them into the trap. The attackers then use a psychological trick known as double-entry password capture, where the system falsely claims the password is incorrect on the first two attempts. This encourages victims to carefully re-enter their correct password, unknowingly handing it over to the attackers.
While the victim sees a loading bar labeled “Verifying mailbox integrity,” which is merely a visual distraction, the system is secretly downloading and executing scripts in the background. These scripts install a malware called SNOWBELT, a Chromium-based browser extension disguised as legitimate software such as MS Heartbeat or System Heartbeat. This malware is designed to capture sensitive data and allow remote control of the infected device.
What makes this attack especially dangerous is its ability to remain hidden for long periods without detection. Once hackers gain access to just one employee’s credentials and system, they can quickly escalate privileges, move laterally across the network, and infiltrate the company’s core systems. This can ultimately lead to administrator-level access and the theft of critical organizational data.
Microsoft issued an official warning in April 2026, urging users to exercise caution when interacting with external contacts on Microsoft Teams. The company strongly advises against disabling security alerts or downloading files from unknown sources. Organizations are encouraged to strengthen account security measures and provide training to employees to recognize increasingly sophisticated social engineering tactics. In today’s landscape, the most dangerous vulnerability may not be software—but human trust itself.
Origin: Cybersecuritynews
