https://feed.craftedsignal.io/products/microsoft-teams/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 28 Apr 2026 14:00:00 +0000https://feed.craftedsignal.io/briefs/2026-04-unc6692-social-engineering/Tue, 28 Apr 2026 14:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-unc6692-social-engineering/UNC6692 is a newly discovered, financially motivated threat actor that combines social engineering via Microsoft Teams, custom malware named SNOWBELT, and abuse of legitimate AWS S3 cloud infrastructure in its attack campaigns to steal credentials and prepare for data exfiltration.UNC6692 is a newly tracked, financially motivated threat group that employs a multi-stage intrusion campaign combining persistent social engineering and custom modular malware. The actor begins by flooding a target’s email inbox before contacting them via Microsoft Teams, posing as help desk personnel to resolve the issue. This leads to a phishing attack where victims are tricked into downloading and executing malicious payloads. UNC6692 abuses legitimate cloud infrastructure, specifically AWS S3 buckets, for payload delivery, command and control (C2), and data exfiltration, allowing them to bypass traditional network reputation filters. The group’s operations are focused on gaining access and stealing credentials for further actions, ultimately aiming to exfiltrate data of interest from compromised systems. The initial campaign was observed in late December.

Attack Chain

1. The attacker floods a target’s email inbox to create a sense of urgency.
2. The attacker contacts the target via Microsoft Teams, impersonating help desk personnel.
3. The attacker sends a phishing link via Teams, promising a local patch to fix the email spamming issue.
4. The target clicks the link, which downloads a renamed AutoHotKey binary and an AutoHotkey script from a threat actor-controlled AWS S3 bucket.
5. Execution of the AutoHotKey binary automatically runs the script, initiating reconnaissance commands and installing the SNOWBELT malicious Chromium browser extension.
6. SNOWBELT facilitates the download of additional tools, including the Snowglaze Python tunneler, the Snowbasin Python bindshell (used as a persistent backdoor), additional AutoHotkey scripts, and a portable Python executable with required libraries.
7. The attacker uses a Python script to scan the local network for ports 135, 445, and 3389 and enumerate local administrator accounts.
8. The attacker uses a local administrator account to initiate an RDP session via Snowglaze from the compromised system to a backup server, then dumps LSASS process memory and uses pass-the-hash to move laterally to the domain controller.

Impact

The UNC6692 attack leads to the compromise of targeted systems, credential theft, and potential data exfiltration. If successful, the attacker gains control over the domain controller, allowing them to access sensitive information and potentially cause significant damage to the organization. The abuse of AWS S3 buckets allows the threat actor to blend in with legitimate cloud traffic, making detection more difficult. The financial motivation suggests that stolen credentials and data could be used for further malicious activities, such as ransomware attacks or sale on the dark web.

Recommendation

• Monitor for AutoHotKey execution, especially when associated with downloads from unusual locations like AWS S3 buckets, to detect initial payload execution (see Sigma rule below).
• Implement network monitoring to detect unusual RDP connections initiated from compromised systems to internal servers, as this is a key lateral movement technique used by UNC6692 (see Sigma rule below).
• Monitor for the installation of new Chromium extensions, especially those not distributed through the Chrome Web Store, as this is how the SNOWBELT malware is deployed.
• Monitor for the use of Python scripts to scan the local network for open ports (135, 445, 3389) and enumerate local administrator accounts.
• Investigate any Microsoft Teams messages delivering links that promise to fix technical problems, as this is the initial social engineering tactic used by UNC6692.

]]>highthreatsocial-engineeringmalwarecloud-abusecredential-theftlateral-movementhttps://feed.craftedsignal.io/briefs/2024-01-suspicious-comm-app-child-process/Wed, 31 Jan 2024 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-suspicious-comm-app-child-process/The detection rule identifies suspicious child processes spawned from communication applications on Windows systems, potentially indicating masquerading or exploitation of vulnerabilities within these applications.This detection rule focuses on identifying suspicious child processes of communication applications such as Slack, Cisco Webex, Microsoft Teams, Discord, WhatsApp, Zoom, and Thunderbird on Windows operating systems. Attackers may attempt to masquerade as legitimate processes or exploit vulnerabilities in these applications to execute malicious code. The rule monitors for the creation of child processes by these communication apps and checks if those child processes are unexpected, untrusted, or lack a valid code signature. This detection is crucial because successful exploitation can lead to unauthorized access, data exfiltration, or further compromise of the system. The rule has been actively maintained since August 2023, with updates as recent as May 2026, indicating its relevance and ongoing refinement to address emerging threats.

Attack Chain

1. User launches a communication application (e.g., Slack, Teams, Webex).
2. The communication application executes a vulnerable or compromised component.
3. The compromised component spawns a child process (e.g., powershell.exe, cmd.exe).
4. The child process executes a malicious command or script.
5. The script attempts to download additional payloads from an external source.
6. The payload executes, establishing persistence through registry modification or scheduled tasks.
7. The attacker gains remote access to the system.
8. Data exfiltration or lateral movement within the network occurs.

Impact

A successful attack can lead to the compromise of sensitive data, installation of malware, and potential lateral movement within the organization’s network. By exploiting communication applications, attackers can gain access to internal communications, confidential documents, and user credentials. The number of affected users and the extent of the damage depend on the compromised application and the attacker’s objectives. If successful, this attack may lead to significant financial loss, reputational damage, and disruption of business operations.

Recommendation

• Deploy the Sigma rule Suspicious Communication App Child Process to your SIEM to detect anomalous child processes spawned by communication applications and tune for your environment.
• Enable process creation logging with command line arguments in Windows to ensure that the Sigma rule has the necessary data to function correctly (logsource: process_creation, product: windows).
• Investigate any alerts generated by the rule and review the command line arguments of the spawned processes to identify potential malicious activity.
• Implement application whitelisting to restrict the execution of unauthorized applications and reduce the attack surface.
• Ensure that all communication applications are updated to the latest versions to patch known vulnerabilities and reduce the risk of exploitation.
• Examine the network activity of the affected system to identify any suspicious outbound connections that may indicate data exfiltration or communication with a command and control server, referencing the setup guide.

]]>mediumadvisorydefense-evasionpersistencewindows