Google has issued a warning about a new cybercrime group that leverages Microsoft Teams chat invitations and fake helpdesk messages to steal credentials and deploy malware. Researchers at Google Threat Intelligence Group (GTIG) have identified a cybercriminal group, designated UNC6692, which conducted a major email hacking campaign last year.
How the Microsoft Teams Helpdesk Scam Works
According to GTIG, the attack begins by flooding targeted companies with large volumes of email traffic. Once employees become overwhelmed, an individual posing as IT helpdesk staff contacts them through Microsoft Teams and offers assistance. Victims are then asked to click a link that supposedly installs a patch to stop the email spam. The link redirects users to a fake 'Mailbox Repair Utility' page featuring a 'Health Check' button. When users click the button, they are prompted to enter their email credentials.
Google noted that the phishing page uses a 'double-entry' tactic that intentionally rejects the first and second password attempts. 'This serves two functions: it reinforces the user's belief that the system is legitimate and performs real-time validation, and it ensures that the attacker captures the password twice, significantly reducing the risk of a typo in the stolen data,' according to GTIG.
The phishing page then runs a fake mailbox scan while credentials and metadata are sent to an attacker-controlled Amazon Web Services S3 bucket. During this process, additional files are quietly downloaded to the victim's device. 'By the time the user receives a 'Configuration completed successfully' message, the attacker has secured the credentials and potentially established a persistent foothold on the endpoint using these staged files,' Google researchers said.
Malware Deployment and Components
After the initial compromise, attackers deploy multiple malware tools. The first stage installs an AutoHotkey binary and a script that begins reconnaissance activities. It also installs a malicious Chromium extension called SnowBelt. Google noted that SnowBelt is not available on the Chrome Web Store and is distributed only through social engineering attacks.
GTIG said the UNC6692 group uses a broader malware framework made up of three key components:
- SnowBelt: A JavaScript-based backdoor disguised as browser extensions such as 'MS Heartbeat' or 'System Heartbeat.' It helps attackers maintain long-term access.
- SnowGlaze: A Python-based tunnelling tool that works on both Windows and Linux systems. It creates WebSocket tunnels between victims and attacker-controlled infrastructure, including Heroku subdomains. Researchers said it hides malicious traffic by wrapping data in JSON objects and using Base64 encoding to make the activity appear legitimate.
- SnowBasin: A Python-based backdoor that allows attackers to remotely execute commands, capture screenshots and stage stolen data. 'This component is where active reconnaissance and mission completion occur. Attacker commands (such as whoami or net user) are sent through the SnowGlaze tunnel, intercepted by the SnowBelt extension, and then proxied to the SnowBasin local server via HTTP POST requests. SnowBasin executes these commands and relays the results back through the same pipeline to the attacker,' Google researchers said.
Broader Context and Similar Threats
Google also noted that these types of social engineering attacks have previously been used by groups such as ShinyHunters and Scattered Lapsus$ Hunters. However, researchers said there is currently no evidence linking those groups to UNC6692. The warning also follows a similar scam involving impersonations of helpdesk personnel via Teams communications, which Microsoft recently identified. While researchers indicated the campaigns were unrelated, security experts pointed out that cybercriminals are increasingly using social engineering in combination with business tools to breach corporate networks.
The TOI Tech Desk is a dedicated team of journalists committed to delivering the latest and most relevant news from the world of technology to readers of The Times of India. TOI Tech Desk's news coverage spans a wide spectrum across gadget launches, gadget reviews, trends, in-depth analysis, exclusive reports and breaking stories that impact technology and the digital universe. Be it how-tos or the latest happenings in AI, cybersecurity, personal gadgets, platforms like WhatsApp, Instagram, Facebook and more; TOI Tech Desk brings the news with accuracy and authenticity.
