UNC6692 and the Snow Ecosystem: How Email Bombing and IT Impersonation on Microsoft Teams Lead to Complete Active Directory Theft

Google Mandiant has documented a new campaign by threat cluster UNC6692 that represents a significant evolution in the industrialisation of enterprise cybercrime. The group combines mass email bombing with social engineering via Microsoft Teams to deploy a custom malware suite — known as the Snow ecosystem — whose ultimate goal is to extract the complete Active Directory database from victim organisations and take full control of the corporate domain. Active since December 2025, the campaign directed 77% of its observed incidents between March and April 2026 against leadership profiles. The most affected sectors are manufacturing and professional, scientific and technical services. This post complements our 8 May analysis of MuddyWater — same vector, different actor, even more ambitious objective: the entire domain.

‍

What do we know about the UNC6692 campaign and the Snow ecosystem?

Facts documented by Google Mandiant, amplified by The Hacker News, BleepingComputer, Security Boulevard, the Microsoft Security Blog and Hispasec:

• Threat actor: UNC6692, a previously undocumented threat activity cluster identified by Google Threat Intelligence Group (GTIG) / Mandiant. No definitive state attribution has been established, though researchers note possible connections to former Black Basta affiliates based on tactical similarities.
• Campaign start: December 2025, with significant escalation throughout Q1 2026.
• Primary objective: credential theft and complete corporate domain takeover by extracting the NTDS.dit file (Active Directory database) and the SAM/SYSTEM/SECURITY registry hives.
• Victim profile: between 1 March and 1 April 2026, 77% of observed incidents targeted senior employees, up from 59% in the first two months of the year. Executives, CFOs, IT directors and privileged-access stakeholders are the preferred targets.
• Affected sectors: manufacturing, professional, scientific and technical services. Victims in financial services and healthcare have also been documented.
• Snow ecosystem: a modular malware suite comprising three tools — SNOWBELT, SNOWGLAZE and SNOWBASIN — designed to work in sequence from initial access through to domain data exfiltration.

‍

Why Microsoft Teams has become the priority attack vector against the enterprise

UNC6692 is not the first group to abuse Microsoft Teams as an entry vector — we documented the MuddyWater case on 8 May. What makes UNC6692’s campaign unique is the combination of two mutually reinforcing techniques. Four factors explain why Teams has become the preferred vector for organised cybercrime in 2026:

1. Email bombing creates the perfect context for the scam. Before making contact via Teams, UNC6692 floods the victim’s inbox with thousands of emails in minutes. The goal is not the content of those emails but to create chaos, urgency and receptiveness to any offer of help. When “IT support” appears in Teams minutes later, the victim experiences it as relief, not a threat.
2. Implicit trust in Teams has not been trained as a risk. Awareness programmes have spent years teaching employees to spot email phishing. Teams — especially in organisations where IT support routinely uses the platform — remains a high-trust channel without the same level of scepticism.
3. Cross-tenant impersonation is trivial. An external attacker can create a Microsoft 365 tenant with the name and logo of any company’s “IT Support” and send messages as if they were internal staff. The only warning signal is the “External” indicator on the profile — which few users actively check.
4. The Teams interaction eliminates technical barriers in the initial phase. A Teams session with a link to a “patch” requires no software vulnerability exploitation. The attack vector is the user themselves, convinced to voluntarily install the implant.

‍

How the attack works: from email bombing to Active Directory theft

The attack chain documented by Mandiant follows these steps with precision:

1. Email bombing: UNC6692 sends thousands of emails to the victim’s inbox within minutes, overwhelming their work environment and creating urgency. The group’s automation is notable: recent telemetry shows Teams chats initiated with differences of tens of seconds between multiple simultaneous targets.
2. Microsoft Teams impersonation: the attacker contacts the victim via Teams from an external account, posing as IT helpdesk, and shares a link to a “patch” that supposedly stops the email bombing. The phishing page is named “Mailbox Repair and Sync Utility v2.1.5.”
3. SNOWBELT download and installation: the link downloads a dropper that executes AutoHotkey scripts and launches a headless Microsoft Edge instance (invisible to the user) with the malicious SNOWBELT extension installed, under names such as “MS Heartbeat” or “System Heartbeat.” Persistence is established via a Windows Startup folder shortcut and a scheduled task.
4. SNOWGLAZE deployment: SNOWBELT downloads the remaining Snow ecosystem components, including SNOWGLAZE, a Python-based tunneller that creates an encrypted WebSocket to the attacker’s C2 infrastructure (frequently Heroku subdomains), masking malicious traffic as legitimate HTTPS communications.
5. SNOWBASIN activation: the Python backdoor SNOWBASIN establishes a local HTTP server accepting attacker commands and executing PowerShell or cmd.exe. It enables screenshots, file transfers and remote command execution.
6. Internal reconnaissance: the attacker uses a Python script to scan the internal network for ports 135, 445 and 3389 (file shares, SMB and RDP), mapping the environment’s assets.
7. Lateral movement to the domain controller: via the SNOWGLAZE tunnel, the attacker establishes a PsExec session to the backup server and opens an RDP session. Using the local administrator account, they dump LSASS process memory via Windows Task Manager to obtain password hashes. Pass-The-Hash is then used to move laterally to the domain controllers.
8. Active Directory extraction: using FTK Imager, the attacker mounts local drives and extracts the NTDS.dit file (the complete Active Directory database containing all users, groups, policies and domain password hashes) together with the SAM, SYSTEM and SECURITY registry hives.
9. Exfiltration: data is sent externally using LimeWire as the transfer tool, blending malicious traffic with apparently legitimate network activity.

The result: the attacker leaves with the credentials of every domain user, including administrators and service accounts — enabling access to any system in the environment weeks or months later, even if the initial incident is detected and “contained.”

‍

Key lessons, IoCs and checklist for AD teams, SOC and CISOs

Indicators of compromise (IoCs) to monitor right now:

• Inbound Microsoft Teams chat requests from unverified external accounts claiming to be IT support, especially following an email bombing event.
• Installation of Chrome or Edge extensions with names such as “MS Heartbeat,” “System Heartbeat” or other names mimicking corporate tools.
• Execution of Microsoft Edge or Chrome instances in headless mode (--headless, --load-extension) from unexpected processes.
• AutoHotkey activity (ahk.exe or autohotkey.exe) outside known automation contexts.
• Outbound WebSocket connections to Heroku subdomains (.herokuapp.com) not on the approved list.
• Access to the lsass.exe process by unauthorised processes, especially from taskmgr.exe outside planned maintenance windows.
• Execution of FTK Imager (FTKImager.exe or ftkimager.exe) outside authorised forensic contexts.
• Creation of or access to the NTDS.dit file or the SAM/SYSTEM/SECURITY hives on domain controllers.
• Use of LimeWire or network traffic to unapproved file-sharing domains.
• Recently created scheduled tasks that do not correspond to any known environment policy.

Action checklist for AD teams, SOC and CISOs:

• Configure Teams to restrict external chats: in the Microsoft Teams Admin Centre, limit or block inbound chat requests from accounts external to unverified organisations. Legitimate internal IT support never initiates contact from an external tenant account.
• Communicate the email bombing + Teams pattern to all staff: the attack depends on surprise. An employee who understands that email bombing is the precursor to a Teams impersonation will not fall for the second step.
• Implement LSASS access alerts: configure the EDR to alert when any unauthorised process accesses lsass.exe, especially from taskmgr.exe outside planned maintenance windows.
• Monitor NTDS.dit creation and access: any access to the NTDS.dit file on a domain controller outside approved backup processes must trigger an immediate critical alert.
• Alert on unplanned forensic tools: execution of FTK Imager, Volatility or other forensic acquisition tools outside the SOC must generate a high-priority alert.
• Audit browser extensions on corporate endpoints: review active extensions in Chrome and Edge, especially on executive devices. Any extension not deployed via Group Policy (GPO) must be investigated.
• Enable the Protected Users Security Group in Active Directory: members of this group cannot use NTLM or Kerberos delegation, making Pass-The-Hash significantly harder. Apply to all privileged and domain admin accounts.
• Review and harden Credential Guard: enable Windows Defender Credential Guard on all endpoints to protect LSASS secrets from direct memory access.

‍

Cybersecurity as a strategic priority

UNC6692’s Snow ecosystem campaign confirms a reality that no longer admits nuance: corporate collaboration platforms — Microsoft Teams, Slack, Google Workspace — have become first-tier attack surfaces. Email is no longer the only vector security teams must watch. And the consequences of ignoring this vector are maximal: extracting an NTDS.dit is the equivalent of holding the keys to the entire corporate domain, present and future.

For Spanish organisations, the message is direct: the email bombing + Teams combination is being automated at scale. The time between the first Teams contact and complete domain compromise is measured in hours, not days. Defences that do not explicitly treat collaboration platforms as attack vectors — with external access controls, extension monitoring and AD alerting — have a critical gap open right now.

‍

Apolo Cybersecurity: Active Directory protection and collaboration platform attack detection

At Apolo Cybersecurity we help organisations protect their Active Directory against domain theft techniques such as those used by UNC6692. We work on Active Directory auditing and hardening, lateral movement and Pass-The-Hash detection, external access control configuration for Microsoft Teams and collaboration platforms, Credential Guard and Protected Users implementation, continuous endpoint monitoring for forensic tool and LSASS dump detection, and attack simulations covering the social engineering vectors documented in this campaign.

If your organisation uses Microsoft Teams and does not have specific controls against external chat requests or Active Directory alerting, the UNC6692 pattern is active right now. And if any of your executives has received a mass email bombing in the last few days, that may have been the first step of the attack.

‍