Google has warned about a new cybercrime group that uses Microsoft Teams chat invitations and fake helpdesk messages to steal credentials and deploy malware. Researchers at Google Threat Intelligence Group (GTIG) have claimed that a cybercriminal group (UNC6692) conducted a major email hacking campaign last year. This campaign mainly targeted companies by overwhelming their employees with spam emails before connecting with them via Teams under the pretext of offering technical assistance. The attackers then tricked users into installing malicious tools that enabled them to maintain access to compromised systems.
How the Microsoft Teams helpdesk scam works
According to GTIG, the attack begins by flooding targeted companies with large volumes of email traffic. Once employees become overwhelmed, someone posing as IT helpdesk staff contacts them through Microsoft Teams and offers assistance.Victims are then asked to click a link that supposedly installs a patch to stop the email spam. The link redirects users to a fake “Mailbox Repair Utility” page featuring a “Health Check” button. When users click the button, they are prompted to enter their email credentials. Google said the phishing page uses a “double-entry” Tactic that intentionally rejects the first and second password attempts.“This serves two functions: it reinforces the user’s belief that the system is legitimate and performs real-time validation, and it ensures that the attacker captures the password twice, significantly reducing the risk of a typo in the stolen data,” According to GTIG.The phishing page then runs a fake mailbox scan while credentials and metadata are sent to an attacker-controlled Amazon Web Services S3 bucket. During this process, additional files are quietly downloaded to the victim’s device.“By the time the user receives a ‘Configuration completed successfully’ message, the attacker has secured the credentials and potentially established a persistent foothold on the endpoint using these staged files,” Google researchers said.After the initial compromise, attackers deploy multiple malware tools. The first stage installs an AutoHotkey binary activities and a script that begins reconnaissance. It also installs a malicious Chromium extension called SnowBelt. Google noted that SnowBelt is not available on the Chrome Web Store and is distributed only through social engineering attacks. GTIG said the UNC6692 group uses a broader malware framework made up of three key components:Snow Belt: A JavaScript-based backdoor disguised as browser extensions such as “MS Heartbeat” or “System Heartbeat.” It helps attackers maintain long-term access.SnowGlaze: A Python-based tunneling tool that works on both Windows and Linux systems. It creates WebSocket tunnels between victims and attacker-controlled infrastructure, including Heroku subdomains. Researchers said it hides malicious traffic by wrapping data in JSON objects and using Base64 encoding to make the activity appear legitimate.Snow Basin: A Python-based backdoor that allows attackers to remotely execute commands, capture screenshots and stage stolen data.“This component is where active reconnaissance and mission completion occur. Attacker commands (such as whoami or net user) are sent through the SnowGlaze tunnel, intercepted by the SnowBelt extension, and then proxied to the SnowBasin local server via HTTP POST requests. SnowBasin executes these commands and relays the results back through the same pipeline to the attacker,” Google researchers said.Google also noted that these types of social engineering attacks have previously been used by groups such as ShinyHunters and Scattered Lapsus$ Hunters. However, researchers said there is currently no evidence linking those groups to UNC6692. The warning also follows a similar scam involving impersonations of helpdesk personnel via Teams communications, which Microsoft recently identified. While researchers indicated the campaigns were unrelated, security experts pointed out that cybercriminals are increasingly using social engineering in combination with business tools to breach corporate networks.
