'An interesting evolution in tactics': Google security experts flag new cyber scam which abuses Microsoft Teams to steal your data
Hackers first create a problem then try to "solve it"
by https://www.techradar.com/uk/author/sead-fadilpai · TechRadarNews By Sead Fadilpašić published 27 April 2026
Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Become a Member in Seconds
Unlock instant access to exclusive member features.
Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors
By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
You are now subscribed
Your newsletter sign-up was successful
Join the club
Get full access to premium articles, exclusive features and a growing list of member rewards.
An account already exists for this email address, please log in. Subscribe to our newsletter
- Google identifies new threat group, UNC6692, using spam floods and fake IT support messages via Microsoft Teams to trick victims
- Targets were lured to a landing page that harvested credentials and deployed a three‑part malware framework themed around snow
- The toolkit includes a persistence‑focused browser extension, a tunneling tool for data exfiltration, and a backdoor enabling full endpoint takeover
Google has sounded the alarm on a previously undocumented threat actor group that uses cheeky social engineering tactics to deploy a trilogy of malware.
In an in-depth report Google said it saw UNC6692 - seemingly a new collective - bombard target email inboxes with countless spam messages in a short timeframe.
Soon after, they would reach out to the owner of that inbox via Microsoft Teams, through the cross-tenant feature, and introduce themselves as IT/helpdesk officials. They would say they were tasked with fixing the spam issue and would share a link to a landing page where the alleged fix can be found.
Article continues below
The 'snow' framework
Victims who follow the link are first asked to do a “health check” by clicking a button on the page which prompts the user to authenticate using their email and password which are then siphoned to the attackers’ servers.
Google also noticed the login attempt never works on the first try - which is a deliberate attempt to increase perceived legitimacy and make sure victims don’t share a fake or typo’d password.
After “logging in”, the page then performs an “email integrity check”, which is just a cover for what goes on in the background - the deployment of a malware framework consisting of three elements.
"By the time the user receives a 'Configuration completed successfully' message, the attacker has secured the credentials and potentially established a persistent foothold on the endpoint using these staged files," Google said in the report.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors