{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/microsoft-teams/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["UNC6692"],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Microsoft Teams","Chromium"],"_cs_severities":["high"],"_cs_tags":["social-engineering","malware","cloud-abuse","credential-theft","lateral-movement"],"_cs_type":"threat","_cs_vendors":["Microsoft","Google","Amazon"],"content_html":"\u003cp\u003eUNC6692 is a newly tracked, financially motivated threat group that employs a multi-stage intrusion campaign combining persistent social engineering and custom modular malware. The actor begins by flooding a target\u0026rsquo;s email inbox before contacting them via Microsoft Teams, posing as help desk personnel to resolve the issue. This leads to a phishing attack where victims are tricked into downloading and executing malicious payloads. UNC6692 abuses legitimate cloud infrastructure, specifically AWS S3 buckets, for payload delivery, command and control (C2), and data exfiltration, allowing them to bypass traditional network reputation filters. The group\u0026rsquo;s operations are focused on gaining access and stealing credentials for further actions, ultimately aiming to exfiltrate data of interest from compromised systems. The initial campaign was observed in late December.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker floods a target\u0026rsquo;s email inbox to create a sense of urgency.\u003c/li\u003e\n\u003cli\u003eThe attacker contacts the target via Microsoft Teams, impersonating help desk personnel.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a phishing link via Teams, promising a local patch to fix the email spamming issue.\u003c/li\u003e\n\u003cli\u003eThe target clicks the link, which downloads a renamed AutoHotKey binary and an AutoHotkey script from a threat actor-controlled AWS S3 bucket.\u003c/li\u003e\n\u003cli\u003eExecution of the AutoHotKey binary automatically runs the script, initiating reconnaissance commands and installing the SNOWBELT malicious Chromium browser extension.\u003c/li\u003e\n\u003cli\u003eSNOWBELT facilitates the download of additional tools, including the Snowglaze Python tunneler, the Snowbasin Python bindshell (used as a persistent backdoor), additional AutoHotkey scripts, and a portable Python executable with required libraries.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a Python script to scan the local network for ports 135, 445, and 3389 and enumerate local administrator accounts.\u003c/li\u003e\n\u003cli\u003eThe attacker uses a local administrator account to initiate an RDP session via Snowglaze from the compromised system to a backup server, then dumps LSASS process memory and uses pass-the-hash to move laterally to the domain controller.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe UNC6692 attack leads to the compromise of targeted systems, credential theft, and potential data exfiltration. If successful, the attacker gains control over the domain controller, allowing them to access sensitive information and potentially cause significant damage to the organization. The abuse of AWS S3 buckets allows the threat actor to blend in with legitimate cloud traffic, making detection more difficult. The financial motivation suggests that stolen credentials and data could be used for further malicious activities, such as ransomware attacks or sale on the dark web.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for AutoHotKey execution, especially when associated with downloads from unusual locations like AWS S3 buckets, to detect initial payload execution (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eImplement network monitoring to detect unusual RDP connections initiated from compromised systems to internal servers, as this is a key lateral movement technique used by UNC6692 (see Sigma rule below).\u003c/li\u003e\n\u003cli\u003eMonitor for the installation of new Chromium extensions, especially those not distributed through the Chrome Web Store, as this is how the SNOWBELT malware is deployed.\u003c/li\u003e\n\u003cli\u003eMonitor for the use of Python scripts to scan the local network for open ports (135, 445, 3389) and enumerate local administrator accounts.\u003c/li\u003e\n\u003cli\u003eInvestigate any Microsoft Teams messages delivering links that promise to fix technical problems, as this is the initial social engineering tactic used by UNC6692.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T14:00:00Z","date_published":"2026-04-28T14:00:00Z","id":"/briefs/2026-04-unc6692-social-engineering/","summary":"UNC6692 is a newly discovered, financially motivated threat actor that combines social engineering via Microsoft Teams, custom malware named SNOWBELT, and abuse of legitimate AWS S3 cloud infrastructure in its attack campaigns to steal credentials and prepare for data exfiltration.","title":"UNC6692 Combines Social Engineering, Malware, and Cloud Abuse","url":"https://feed.craftedsignal.io/briefs/2026-04-unc6692-social-engineering/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Elastic Defend","SentinelOne Cloud Funnel","Microsoft Teams","Google Chrome","Mozilla Firefox","Opera","Cisco WebEx","Discord","WhatsApp","Zoom","Brave Browser","Slack","thunderbird.exe"],"_cs_severities":["medium"],"_cs_tags":["defense-evasion","persistence","windows"],"_cs_type":"advisory","_cs_vendors":["Elastic","SentinelOne","Microsoft","Google","Mozilla","Opera","Cisco","Discord","WhatsApp","Zoom","Brave"],"content_html":"\u003cp\u003eThis detection rule focuses on identifying suspicious child processes of communication applications such as Slack, Cisco Webex, Microsoft Teams, Discord, WhatsApp, Zoom, and Thunderbird on Windows operating systems. Attackers may attempt to masquerade as legitimate processes or exploit vulnerabilities in these applications to execute malicious code. The rule monitors for the creation of child processes by these communication apps and checks if those child processes are unexpected, untrusted, or lack a valid code signature. This detection is crucial because successful exploitation can lead to unauthorized access, data exfiltration, or further compromise of the system. The rule has been actively maintained since August 2023, with updates as recent as May 2026, indicating its relevance and ongoing refinement to address emerging threats.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser launches a communication application (e.g., Slack, Teams, Webex).\u003c/li\u003e\n\u003cli\u003eThe communication application executes a vulnerable or compromised component.\u003c/li\u003e\n\u003cli\u003eThe compromised component spawns a child process (e.g., powershell.exe, cmd.exe).\u003c/li\u003e\n\u003cli\u003eThe child process executes a malicious command or script.\u003c/li\u003e\n\u003cli\u003eThe script attempts to download additional payloads from an external source.\u003c/li\u003e\n\u003cli\u003eThe payload executes, establishing persistence through registry modification or scheduled tasks.\u003c/li\u003e\n\u003cli\u003eThe attacker gains remote access to the system.\u003c/li\u003e\n\u003cli\u003eData exfiltration or lateral movement within the network occurs.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack can lead to the compromise of sensitive data, installation of malware, and potential lateral movement within the organization\u0026rsquo;s network. By exploiting communication applications, attackers can gain access to internal communications, confidential documents, and user credentials. The number of affected users and the extent of the damage depend on the compromised application and the attacker\u0026rsquo;s objectives. If successful, this attack may lead to significant financial loss, reputational damage, and disruption of business operations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eSuspicious Communication App Child Process\u003c/code\u003e to your SIEM to detect anomalous child processes spawned by communication applications and tune for your environment.\u003c/li\u003e\n\u003cli\u003eEnable process creation logging with command line arguments in Windows to ensure that the Sigma rule has the necessary data to function correctly (logsource: \u003ccode\u003eprocess_creation\u003c/code\u003e, product: \u003ccode\u003ewindows\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by the rule and review the command line arguments of the spawned processes to identify potential malicious activity.\u003c/li\u003e\n\u003cli\u003eImplement application whitelisting to restrict the execution of unauthorized applications and reduce the attack surface.\u003c/li\u003e\n\u003cli\u003eEnsure that all communication applications are updated to the latest versions to patch known vulnerabilities and reduce the risk of exploitation.\u003c/li\u003e\n\u003cli\u003eExamine the network activity of the affected system to identify any suspicious outbound connections that may indicate data exfiltration or communication with a command and control server, referencing the setup guide.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-31T12:00:00Z","date_published":"2024-01-31T12:00:00Z","id":"/briefs/2024-01-suspicious-comm-app-child-process/","summary":"The detection rule identifies suspicious child processes spawned from communication applications on Windows systems, potentially indicating masquerading or exploitation of vulnerabilities within these applications.","title":"Suspicious Child Processes from Communication Applications","url":"https://feed.craftedsignal.io/briefs/2024-01-suspicious-comm-app-child-process/"}],"language":"en","title":"CraftedSignal Threat Feed — Microsoft Teams","version":"https://jsonfeed.org/version/1.1"}