Security researchers have identified a previously unknown threat actor group designated UNC6692 that is actively exploiting Microsoft Teams to infiltrate corporate networks and deploy custom malware. The group employs sophisticated social engineering techniques, particularly impersonating IT support staff to trick employees into accepting chat invitations from fraudulent accounts.
The attack chain begins when victims receive what appears to be a legitimate Teams chat request from someone posing as an IT helpdesk representative. Once the target accepts the invitation, attackers engage in conversation designed to build trust and credibility. Through this deceptive interaction, the threat actors convince users to execute malicious files or grant access to their systems, ultimately leading to the deployment of a custom malware suite.
This approach leverages the inherent trust that employees place in internal IT support channels. Microsoft Teams' widespread adoption in enterprise environments makes it an attractive vector for attackers, as users are conditioned to expect legitimate technical communications through the platform. The social engineering component significantly increases the likelihood of successful compromise compared to traditional phishing emails, which users have become more cautious about.
Once malware is deployed on compromised hosts, the threat actors gain the ability to establish persistence, exfiltrate sensitive data, and potentially move laterally throughout the organization's network. The custom nature of the malware suite suggests this group has dedicated development resources and targets specific victim profiles rather than conducting indiscriminate attacks.
Organizations should implement several defensive measures to protect against this threat. Employee security awareness training should specifically address the risks of unsolicited Teams communications and the importance of verifying contact identities through separate channels. Additionally, administrators should enforce stricter controls over Teams access permissions, implement advanced threat protection features, and maintain robust logging and monitoring of Teams activity to detect suspicious behavior patterns early. Multi-factor authentication and endpoint detection and response tools are also critical components of a comprehensive defense strategy against this emerging threat actor.