By rssfeeds-admin The attackers abuse Microsoft Teams to impersonate IT helpdesk staff, tricking employees into installing malicious tools that lead to full network compromise and data theft.
Social Engineering Attack Flow
The attack begins with an email bombing campaign designed to overwhelm the target. Victims receive a flood of spam emails, creating confusion and urgency.
While distracted, the attacker contacts the user via Microsoft Teams using an external account.
Pretending to be IT support, the attacker offers a quick fix in the form of a “local patch” to stop the spam issue. This message appears legitimate, increasing the chances of user interaction.
Once the victim clicks the link, they are redirected to a fake “Mailbox Repair Utility” page. The page forces the user to open it in Microsoft Edge and enter their credentials.
It intentionally rejects the first login attempt to ensure the correct password is captured before sending it to an attacker-controlled Amazon Web Services (AWS) server.
Meanwhile, a fake progress bar keeps the victim engaged while malicious files are silently delivered.
The initial payload includes an AutoHotkey script that runs quietly in the background. It establishes persistence by creating scheduled tasks on the infected system and deploys a modular malware toolkit known as the “SNOW” ecosystem.
Key components include:
- SNOWBELT: A malicious Chromium extension that maintains persistent access.
- SNOWGLAZE: A Python-based tunneling tool that creates encrypted communication channels.
- SNOWBASIN: A remote access tool that allows command execution, screenshots, and data exfiltration.
Together, these tools give attackers deep control over the compromised machine.
After gaining initial access, UNC6692 moves laterally across the network using Python scripts to scan systems and locate backup servers.
The attackers then dump memory from the LSASS process to extract password hashes. These hashes are cracked offline and used in Pass-the-Hash attacks to access domain controllers.
To steal critical data, attackers download legitimate forensic tools like FTK Imager via Microsoft Edge. They use these tools to copy the Active Directory database and exfiltrate it using platforms like LimeWire.
This campaign highlights a growing trend called “living off the cloud,” where attackers abuse trusted services like Microsoft Teams and AWS.
Because these platforms are widely used, traditional security tools often fail to detect malicious activity.
Organizations should strengthen browser monitoring, restrict external Teams communication, and implement advanced threat detection beyond standard antivirus solutions.
Indicators of Compromise (IoCs)
- service-page-25144-30466-outlook.s3.us-west-2.amazonaws[.]com – Phishing host and payload delivery
- cloudfront-021.s3.us-west-2.amazonaws[.]com – SNOWBELT command and control
- wss://sad4w7h913-b4a57f9c36eb.herokuapp[.]com/ws – SNOWGLAZE WebSocket endpoint
- service-page-11369-28315-outlook.s3.us-west-2.amazonaws[.]com – Data upload endpoint
Security teams are advised to monitor these indicators and review unusual Teams-based communications to detect early signs of compromise.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
The post Hackers Exploit Microsoft Teams to Breach Organizations While Posing as IT Helpdesk Staff appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.