BackTECH
Google warns of UNC6692 Teams helpdesk scam using fake invitations and credential theft
Google Threat Intelligence Group warns of a cybercrime operation (UNC6692) that uses Microsoft Teams invitations and fake helpdesk messages to steal credentials and deploy malware. The campaign begins with mass email spam, followed by a Teams-based phishing flow and a staged malware framework, SnowBelt/SnowGlaze/SnowBasin. The report notes related scams and cautions there is no evidence linking other groups to UNC6692.
Why It Matters
The attackers exploit collaboration tools and social engineering to breach corporate networks, enabling credential theft and malware deployment at scale.
Timeline
5 Events
No evidence linking ShinyHunters or Scattered Lapsus$ Hunters to UNC6692
April 28, 2026
Researchers say there is currently no evidence linking ShinyHunters or Scattered Lapsus$ Hunters to UNC6692.
Microsoft identifies similar Teams scam (April 2026)
April 28, 2026
The warning notes a similar scam involving impersonations of helpdesk personnel via Teams communications identified by Microsoft.
SnowBelt, SnowGlaze and SnowBasin malware explained
2025
GTIG describes a three-component malware framework: SnowBelt, a JavaScript-based backdoor disguised as browser extensions such as 'MS Heartbeat' or 'System Heartbeat'; SnowGlaze, a Python-based tunnelling tool; and SnowBasin, a Python-based backdoor for remote command execution and data staging. SnowBelt is distributed via social engineering and is not available in the Chrome Web Store.
Teams-based helpdesk phishing chain begins in 2025
2025
According to GTIG, attackers first flood target companies with spam, then contact employees via Microsoft Teams posing as IT helpdesk staff and offering assistance. Victims are directed to click a link that supposedly installs a patch; they are prompted to enter their email credentials. The phishing page uses a 'double-entry' tactic that rejects the first two password attempts, while additional files are downloaded in the background, enabling initial compromise.
UNC6692 conducts major email-hacking campaign in 2025
2025
GTIG researchers described a major email hacking campaign attributed to UNC6692 that overwhelmed target companies with large volumes of spam emails before engaging victims via Microsoft Teams to offer technical assistance.