You know that sinking feeling when you open Outlook and see 500 unread emails — all of them automated subscription confirmations, password reset requests, and random newsletters you never signed up for?

That's not bad luck. That's UNC6692. And they're not done with you yet.

A newly identified threat group tracked as UNC6692 has perfected a devastatingly effective two‑step social engineering playbook. First, they flood your inbox with thousands of spam messages — a tactic called email bombing — creating genuine panic. Then, while you're still trying to process the mess, they slide into your Microsoft Teams DMs, posing as a friendly IT helpdesk employee offering to "help."

The victim, overwhelmed and grateful for any assistance, clicks the link. And that's when the real nightmare begins.

Digital illustration of an inbox flooded with glowing red spam alerts, next to a Microsoft Teams chat pop-up showing a fake IT helpdesk message. Dark navy background with cyan and electric blue highlights.

As Google Threat Intelligence Group (GTIG) researchers noted: "The email bombing tactic is deliberate: it creates genuine distress that makes the victim more likely to accept unsolicited help from someone claiming to be IT."

By the time the attack is over, the attackers have stolen domain admin credentials, dumped your Active Directory database, and established backdoors that give them persistent access to your entire network. All without exploiting a single software vulnerability.

How UNC6692 Executes the Attack

🔴 Step 1: Email Bombing to Create Chaos

The attack begins with a psychological sucker punch. UNC6692 sends thousands of spam and subscription confirmation emails to the target's inbox within minutes. The volume is overwhelming — victims often find their email client unresponsive. Legitimate messages get buried. Panic sets in.

The attackers aren't trying to phish anyone at this stage. They're simply trying to create a crisis — because a panicked employee is a compliant employee.

🟠 Step 2: The "IT Helpdesk" Teams Message

Within minutes of the email flood, the attacker contacts the victim via Microsoft Teams, posing as an IT helpdesk employee. The message is calm, professional, and offers a solution: "We've noticed an issue with your mailbox. Click this link to install the spam patch."

By default, Microsoft Teams allows external users to initiate chats with internal employees — no approval required. Attackers simply send a message from a spoofed or burner account, and the victim sees a legitimate-looking Teams notification. In many cases, the attacker's display name is crafted to appear as "IT Support" or "Helpdesk."

🟡 Step 3: The Fake "Mailbox Repair Utility"

The link leads to a phishing page that masquerades as an official "Mailbox Repair and Sync Utility." It looks professional — complete with a corporate logo, a "Health Check" button, and a fake progress bar that ticks through diagnostic tasks for several seconds.

When the victim clicks the "Health Check" button, a fake authentication box appears. The page rejects the first two password attempts (reinforcing the illusion that something is truly broken), then accepts the third and shows a "success" screen. In reality, those credentials were sent directly to an attacker-controlled server.

Simultaneously, the page silently downloads an AutoHotKey binary and a matching script from an AWS S3 bucket. The script executes covertly, opening the door to the Snow malware suite.

🔵 Step 4: The Snow Malware Triad

The attackers deploy three custom malware components:

🔍 HUNTER'S NOTE: Detect Snowbelt with This One Weird Flag
Monitor for msedge.exe processes running with the command‑line parameters --headless and --load-extension. This is a rare configuration for normal business use and a high‑fidelity indicator of Snowbelt activity. Add this to your EDR or Sysmon rule set immediately.
Technical flowchart showing the Snow malware chain: Email Flood → Teams Message → Fake Repair Utility → AutoHotKey Dropper → Snowbelt → Snowglaze → Snowbasin. Dark navy background, cyan and electric blue lines.

From Malware to Domain Takeover

Once Snowbelt is active, UNC6692 pivots to full domain takeover. Using Snowglaze to mask their activities, they scan for SMB and RDP services, move laterally with PsExec, dump LSASS memory for credentials, and use pass‑the‑hash to authenticate directly to domain controllers. Finally, they extract the Active Directory database using FTK Imager and exfiltrate it via LimeWire.

Why Traditional Defenses Fail

UNC6692's campaign intentionally bypasses technical controls. They don't need to bypass email security because they use email to deliver anxiety, not malware. The actual payload is delivered through Teams — which most security teams treat as an internal, trusted channel.

An additional hidden risk: when a Teams user accepts a guest‑chat invitation and switches into the external tenant's security boundary, they stop benefiting from their own organization's Microsoft Defender for Office 365 protections — creating a cross‑tenant blind spot.

Actionable Mitigation Steps

🔴 Immediate (Today)

🟠 Short‑Term (This Week)

🟢 Long‑Term Strategy

External Resources

Related Reading on ThreatAft

The Bottom Line

UNC6692 proves that attackers don't need zero‑days to compromise your organisation. They just need an overwhelmed employee, a Teams message, and a little creativity.

Block external Teams messaging today. Train your employees to treat unsolicited IT help with suspicion. And never, ever click a link from a stranger offering to fix your email.

Stay calm. Stay suspicious. And stay patched — even when the patch is just a policy change.

Written by: ThreatAft Security Team – Specialising in threat intelligence and social engineering defense.