Mandiant reports a campaign in which attackers impersonate Microsoft Teams help desk staff to trick employees into installing a malicious browser extension. The operation, attributed to UNC6692, uses email flooding, Teams phishing and a fake “Mailbox Repair Utility” to deploy the SnowBelt extension and secondary tools like SnowGlaze and SnowBasin. #UNC6692 #SnowBelt
Keypoints
- Attackers impersonate Microsoft Teams IT support from accounts outside the victim’s organization.
- The campaign begins with large-scale email flooding to create disruption and prompt outreach.
- Victims are steered to a fake “Mailbox Repair Utility” page that encourages switching to Microsoft Edge and downloading a script.
- The SnowBelt browser extension acts as a backdoor and can download additional components like SnowGlaze, SnowBasin, AutoHotkey scripts, and a portable Python environment.
- Social-engineering tricks include forcing Edge and deliberately rejecting the first two password attempts to capture credentials twice.
Read More: https://therecord.media/microsoft-teams-hackers-mandiant