# New Threat Actor UNC6692 Weaponizes Microsoft Teams and Cloud Storage in Multi-Stage Attack Campaign


A newly discovered threat actor tracked as UNC6692 is conducting sophisticated multi-stage attacks that combine social engineering via Microsoft Teams, malicious cloud storage abuse, and custom malware to compromise organizations. The campaign demonstrates a coordinated approach that exploits both human trust and legitimate cloud infrastructure, creating a particularly difficult attack surface to defend against.


## The Threat Overview


Mandiant researchers have identified UNC6692 as an emerging threat actor targeting organizations across multiple sectors. What makes this group notably dangerous is their methodical approach that leverages commonly trusted platforms—particularly Microsoft Teams—as a social engineering vector, paired with abuse of AWS S3 buckets for command and control operations and payload delivery.


The campaign centers on a custom malware strain identified as "Snow," a multi-functional tool designed to establish persistent access and enable lateral movement within compromised networks. The combination of social engineering sophistication, cloud infrastructure abuse, and purpose-built malware suggests a well-resourced threat actor with significant operational capability.


## The Attack Chain: Social Engineering Meets Cloud Abuse


UNC6692's infection chain follows a deliberate progression designed to evade traditional security detection:


Initial Compromise via Microsoft Teams


The attack begins with social engineering targeting employees through Microsoft Teams, the widely-deployed enterprise collaboration platform. The threat actor initiates contact that appears legitimate—often posing as a colleague, vendor, or IT support personnel. The social engineering messages are crafted to establish credibility and prompt victims to take specific actions, such as clicking links or downloading files shared through Teams.


This approach is particularly effective because Teams is integrated into most enterprise environments, making it a trusted communication channel. Employees are conditioned to respond to Teams messages and file sharing within their normal workflow, significantly lowering their security alertness compared to external email.


Payload Delivery via AWS S3


Rather than hosting malicious content on dedicated infrastructure, UNC6692 leverages compromised or attacker-controlled AWS S3 buckets as staging points for malware distribution. This technique provides several operational advantages:


  • Reputation laundering: S3 traffic originates from Amazon's trusted IP space, potentially bypassing network-based detection systems
  • Scalability: Cloud storage provides virtually unlimited bandwidth and reliability for serving payloads
  • Operational obfuscation: AWS infrastructure logs can obscure attacker attribution and make forensic investigation more difficult
  • Cost efficiency: Compromised AWS credentials or stolen accounts absorb hosting costs rather than attacker resources

    • The S3 buckets are configured to host the Snow malware and supporting tools, allowing victims to download and execute the malicious payload as part of the Teams-based social engineering scenario.


    ## Technical Deep Dive: The Snow Malware


    Snow is a custom-developed malware suite that serves as the operational foundation for UNC6692's post-compromise activities. The malware demonstrates several sophisticated capabilities:


    Core Functionality


    | Capability | Purpose |

    |-----------|---------|

    | Command Execution | Execute arbitrary commands on compromised systems |

    | Lateral Movement | Propagate across network segments and systems |

    | Data Exfiltration | Identify and extract sensitive files and credentials |

    | Persistence Mechanisms | Maintain access across system reboots and credential rotation |

    | Defense Evasion | Bypass endpoint detection and response (EDR) tools |

    | Reconnaissance | Enumerate network resources and identify high-value targets |


    Execution and Obfuscation


    Snow employs multiple obfuscation and evasion techniques to avoid signature-based detection:


  • Living-off-the-land: Leverages legitimate Windows binaries and PowerShell for malicious activities
  • Code injection: Injects malicious code into trusted processes to maintain stealth
  • Encrypted communications: Uses encryption to conceal command-and-control traffic
  • Scheduled execution: Distributes activities across time to avoid detection patterns

    • The malware communicates back to attacker infrastructure using S3 as a command-and-control channel, further blurring the line between legitimate cloud traffic and malicious activity.


    ## Cloud Infrastructure Abuse: A Growing Trend


    UNC6692's exploitation of AWS S3 buckets reflects a broader shift in threat actor tradecraft. Rather than maintaining dedicated command-and-control servers vulnerable to takedown, sophisticated adversaries are increasingly weaponizing legitimate cloud services. This approach offers several advantages:


    Detection Evasion

  • Security teams often have lower visibility into cloud-based traffic compared to traditional network perimeter monitoring
  • Cloud provider detection systems may struggle to distinguish between legitimate and malicious S3 access patterns at scale

    • Attribution Obfuscation

  • Multiple attacker groups can use shared cloud infrastructure, muddying attribution efforts
  • Legitimate cloud usage by compromised organizations complicates forensic timelines

    • Operational Resilience

  • Cloud infrastructure provides geographic redundancy and uptime guarantees
  • Taking down attacker infrastructure requires coordination with cloud providers and law enforcement

    • ## Implications for Organizations


    UNC6692's campaign highlights several critical vulnerabilities in modern enterprise security:


    Social Engineering Effectiveness


    The reliance on Microsoft Teams as a social engineering vector underscores that technical defenses alone are insufficient. Teams' integration into daily workflows makes it an ideal platform for building trust before requesting suspicious actions.


    Cloud Security Gaps


    The abuse of AWS S3 buckets suggests that many organizations have not adequately implemented controls around cloud service usage. Overly permissive bucket configurations, inadequate logging, and weak access controls create opportunities for abuse.


    Malware Sophistication


    Snow's multi-stage architecture and evasion capabilities indicate that endpoint detection tools may struggle to identify the threat without behavioral analytics and threat intelligence integration.


    ## Recommendations for Defense


    Organizations should implement a layered defense strategy addressing both technical and human elements:


    User Awareness and Behavior


  • Conduct regular security awareness training emphasizing the risks of social engineering on Teams and similar platforms
  • Establish clear protocols for verifying unusual requests, particularly those requesting file downloads or link clicks
  • Implement reporting mechanisms for suspicious Teams communications
  • Use Teams' external access controls to limit communication from outside your organization

    • Cloud Security Hardening


  • Audit S3 bucket configurations: Ensure all S3 buckets are set to private by default and implement restrictive ACLs
  • Enable logging: Enable CloudTrail and S3 access logging to capture all S3 interactions for forensic analysis
  • Implement MFA: Require multi-factor authentication for all AWS console access
  • Use access policies: Apply principle of least privilege to IAM roles and credentials
  • Monitor for anomalies: Deploy cloud-native detection tools to identify unusual S3 access patterns

    • Endpoint Protection


  • Deploy behavioral detection tools capable of identifying malware behavior even with obfuscation
  • Implement application whitelisting where feasible to prevent unauthorized code execution
  • Maintain aggressive patching schedules to reduce vulnerability windows
  • Use EDR solutions with cloud-based threat intelligence integration

    • Detection and Response


  • Monitor for suspicious Teams activities in security logs, including unusual downloads or link sharing
  • Establish baselines for S3 access patterns within your organization and alert on deviations
  • Investigate any unexpected S3 bucket access or bucket modifications
  • Maintain incident response playbooks specific to cloud-based compromise scenarios

    • ## Outlook


    UNC6692 represents an evolution in threat actor methodology—combining social engineering sophistication with cloud infrastructure abuse and custom malware. As organizations continue to adopt cloud services and remote collaboration platforms, threat actors will increasingly exploit these trusted channels.


    Defense requires a coordinated approach that addresses the human, technical, and operational dimensions of security. Organizations that treat Teams and cloud infrastructure as security-critical infrastructure—rather than convenience features—will be better positioned to detect and respond to campaigns like UNC6692's.