Teams in the look: the new wave of attacks that fuses social engineering and cloud to exfilter data

A new threat actor identified as UNC6692 has shown a worrying trend: convergence of social engineering through collaborative platforms and systematic abuse of cloud services to distribute malware and exfilter data. Instead of limited to traditional malicious emails, attackers combine "email pumping" campaigns with Microsoft Teams invitations supplanting the internal support, to gain the victim's confidence and ask him to execute what appears to be a legitimate solution.

The most relevant from the tactical point of view is that the input vector does not always require complex technical vulnerabilities; it relies on the urgency and corporate confidence for the victim to install legitimate tools or browser extensions that are then corrupted to create persistence and encrypted tunnels to control servers. The use of Teams external accounts as the first contact point and the delivery of components from buckets in public cloud services tend to evade traditional reputation filters because traffic comes from reliable domains.

The tool ecosystem observed in these intrusions is usually modular: JavaScript components that act as a gateway, extensions that remain active in the browser and portable binaries that establish tunnels or run remote commands. This architecture facilitates the collection of credentials on fraudulent pages, the deployment of persistent backdoors and the creation of gateways from within the business network to external command and control infrastructure.

The implications for cyberdefence are clear: collaborative tools like Microsoft Teams stop being just "communication channels" and become first-order attack surfaces. Protections focused on mail alone are no longer sufficient; controls must be integrated into the collaboration layer, in the management of extensions and in policies for access to cloud services.

From the operational point of view, this requires a review of technical support verification flows: to establish identity authentication channels for any sensitive request, to require off-band checks and to normate that staff do not run tools or accept invitations without prior validation. Special protection of high-level and executive accounts should be a priority both for their frequency and for the potential impact if they are compromised.

In terms of technical measures, it is appropriate to tighten browser management policies to block arbitrary installation of extensions and use white lists of approved certificates and extensions; limit or control the installation of remote assistance utilities (Quick Assist, Supreme, etc.) through endpoint policies and approved application catalogue; and apply conditional access controls that require managed devices and multifactor authentication for remote administrative actions and access. Microsoft offers documentation and controls to manage Teams and its safety that should be reviewed: https: / / learn.microsoft.com / microsoftteams /.

In detection, security equipment should monitor less obvious indicators: execution of AutoHotkey or Python scripts portable from unusual locations, processes that expose local HTTP ports (e.g. 8000-8002), use of legitimate tools to flip memory (LSASS) or transfer files, and movements that involve tunneling WebSocket or persistent connections to S3 buckets. Integrating EDR telemetry with collaboration and web proxy records facilitates correlations that are needed today to identify complete attack chains.

Governance is equally critical: to establish clear procedures for reporting invitations and external messages, to simulate helpdesk supplanting scenarios in table exercises and phishing campaigns for executives, and to ensure that there is a fast and verified way for someone from the IT team to use incidents without resorting to unsafe actions. The culture of "accepting hot help" must be transformed into an audited and verifiable process.

Another practical lesson is the risk of attackers using legitimate infrastructure to hide their artifacts. Simply blocking malicious domains will not be enough if the actor hosts payloads and exfiltrates in public services. It is therefore appropriate to implement behavior-based detection, sign and validate the integrity of critical components and regularly audit the access to cloud resources as part of the response to incidents.

If your organization has not yet done so, it is recommended to review external access policies on collaborative platforms, force MFA and access conditions on privileged accounts, apply white lists of applications and extensions, enable credentials protection on endpoints and set up alerts for anomalous activities in executive accounts. Security providers also recommend treating invitations and support requests from external channels with the same rigour as suspicious emails: validation and, where appropriate, preventive blocking.

For those who want to deepen measures and similar cases, it is appropriate to review incident analysis and response guides of threat specialists and manufacturers of the affected platforms; useful references include Mandiant's publications on threat fighters and Microsoft's documentation on security in Teams. https: / / www.mandiant.com and Cato Networks' technical blog on collaborative tool attacks offer practical context for defenders who must adapt controls to this kind of tactics: https: / / www.catonetworks.com / blog /.

In short, the threat described by UNS6692 confirms that the adversaries are perfecting the combination of social engineering with legitimate infrastructure to overcome traditional defenses. The answer must be holistic: technical, organizational and cultural, updating controls on collaborative platforms, tightening installation and access policies, and training people not to be the weak link in the security chain.