UNC6692 impersonates IT in Microsoft Teams and deploys SNOW modules

Colleagues, a cybersecurity alert: Mandiant describes UNC6692, where attackers pose as IT support in Teams to deliver the SNOW suite.
Brief:
- Scenario: mass spam followed by a Teams message offering to “fix” an issue.
- Delivery: a link loads a script from S3, installs the SNOWBELT extension in Edge and additional modules (SNOWGLAZE, SNOWBASIN).
- Targets: mainly executives; ReliaQuest reports an uptick in incidents.
Recommendations: verify IT requests, block external invites/screen sharing, restrict RMM installs, and tighten PowerShell auditing.
Why it matters: attackers exploit trust in legitimate services and cloud infrastructure to evade defenses.
What are your IT verification procedures?
#cybersecurity #MicrosoftTeams #ThreatIntel #infosec


Latest comments
No comments yet.