'An interesting evolution in tactics': Google security experts flag new cyber scam which abuses Microsoft Teams to steal your data

News
By published

Hackers first create a problem then try to "solve it"

Security
(Image credit: Shutterstock) (Image credit: Shutterstock)
  • Google identifies new threat group, UNC6692, using spam floods and fake IT support messages via Microsoft Teams to trick victims
  • Targets were lured to a landing page that harvested credentials and deployed a three‑part malware framework themed around snow
  • The toolkit includes a persistence‑focused browser extension, a tunneling tool for data exfiltration, and a backdoor enabling full endpoint takeover

Google has sounded the alarm on a previously undocumented threat actor group that uses cheeky social engineering tactics to deploy a trilogy of malware.

In an in-depth report Google said it saw UNC6692 - seemingly a new collective - bombard target email inboxes with countless spam messages in a short timeframe.

Soon after, they would reach out to the owner of that inbox via Microsoft Teams, through the cross-tenant feature, and introduce themselves as IT/helpdesk officials. They would say they were tasked with fixing the spam issue and would share a link to a landing page where the alleged fix can be found.

Article continues below

The 'snow' framework

Victims who follow the link are first asked to do a “health check” by clicking a button on the page which prompts the user to authenticate using their email and password which are then siphoned to the attackers’ servers.

Google also noticed the login attempt never works on the first try - which is a deliberate attempt to increase perceived legitimacy and make sure victims don’t share a fake or typo’d password.

After “logging in”, the page then performs an “email integrity check”, which is just a cover for what goes on in the background - the deployment of a malware framework consisting of three elements.

"By the time the user receives a 'Configuration completed successfully' message, the attacker has secured the credentials and potentially established a persistent foothold on the endpoint using these staged files," Google said in the report.

The framework is themed around snow, and contains three tools: SnowBelt, SnowGlaze, and SnowBasin.

The first is a Chromium-based extension that establishes persistence via the browser’s extension registration system. The extensions are often named “MS Heartbeat” or “System Heatbeat”.

The second is a tunneler that creates an authenticated WebSocket tunnel, enabling easy communication and possible data extraction. The third one is a backdoor that allows full endpoint takeover.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.