Corporate correspondence has once again emerged as a convenient portal for adversaries. In this nascent campaign, the assailants eschew direct “forced entry,” choosing instead to orchestrate a familiar professional complication for employees and promptly offering “succor” while masquerading as Microsoft Teams support personnel.
The Mandiant team has detailed the maneuvers of the collective designated as UNC6692, which harmonizes voluminous email dissemination, phishing, and malicious browser extensions. Initially, the victim’s inbox is besieged by a deluge of messages; subsequently, an interloper utilizing an external account initiates contact via Microsoft Teams. Posing as an IT support specialist, the attacker proposes a resolution to the ongoing spam affliction.
During the exchange, the victim is enticed into installing a purported “official mail update.” The provided link redirects to a portal camouflaged as a “Mailbox Repair Utility.” Upon downloading the script, the SnowBelt malicious extension is deployed to the device, facilitating persistent access to corporate accounts and enabling lateral movement across internal architectures without the necessity of constant re-authentication.
According to Mandiant, SnowBelt possesses the capability to fetch supplementary modules, including the SnowGlaze and SnowBasin utilities, AutoHotkey scripts, and a portable Python environment for the execution of further malicious payloads.
The phishing interface is also engineered to shepherd the victim toward the desired outcome. Should the site be accessed through a browser other than Microsoft Edge, a persistent notification appears, urging a transition to Edge, where the stratagem functions with heightened efficacy. Another tactical nuance involves credential harvesting: the form deliberately rejects the initial two login attempts, compelling the user to re-enter their information. This maneuver significantly increases the probability of the attackers securing accurate credentials.
The report’s authors characterize the UNC6692 campaign as an exemplar of sophisticated social engineering, wherein adversaries exploit the inherent trust placed in ubiquitous corporate platforms and disguise an infection as routine assistance from the IT department.
