Find notable cyber news and cases, enriched with sources, timelines, and signals.

UNC6692 email bombing and Microsoft Teams impersonation campaign

Campaign
First reported
Last updated
Happening score
H score 32
1 unique sources, 1 articles

Summary

Hide ▲

UNC6692 is running a social-engineering campaign that uses email bombing and Microsoft Teams impersonation to push targets toward remote access and initial compromise. The operation matters because it is designed to create urgency, bypass normal trust checks, and open a path to credential theft and deeper network access.

Related Happenings

KongTuke ClickFix and Teams access-seeking campaign

Campaign
H score33 First: 25.06.2026 11:54 Last: 25.06.2026 11:54 Sources 1

About this happening: The **KongTuke** operation is using **ClickFix** lures and **Microsoft Teams** messages to widen access-seeking attacks against **multiple organizations**, increasing the risk of...

KongTuke Microsoft Teams initial access campaign

Campaign
H score42 First: 14.05.2026 15:12 Last: 14.05.2026 15:12 Sources 1

About this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...

MuddyWater Microsoft Teams social-engineering campaign with Chaos ransomware decoy

Campaign
H score37 First: 06.05.2026 16:02 Last: 06.05.2026 16:02 Sources 1

About this happening: The **MuddyWater** campaign used **Microsoft Teams** social engineering and a **Chaos ransomware** decoy to gain access, steal credentials, and establish persistence. The operatio...

Code of conduct-themed Microsoft AiTM phishing campaign

Campaign
H score53 First: 05.05.2026 09:35 Last: 05.05.2026 09:35 Sources 1

About this happening: A **large-scale phishing campaign** used code of conduct-themed lures and **legitimate email services** to push victims to attacker-controlled domains and steal **authentication t...

APT28 Windows Shell LNK campaign targeting Ukraine and E.U. nations

Campaign
H score39 First: 28.04.2026 08:50 Last: 28.04.2026 08:50 Sources 1

About this happening: A **December 2025** **APT28** campaign targeted **Ukraine** and **E.U. nations** with a **malicious Windows Shortcut (LNK)** chain that bypassed **Microsoft Defender SmartScreen**...

Timeline

  1. 25.04.2026 18:07 2 articles · 2mo ago

    UNC6692 uses Teams impersonation and a fake patch to deploy Snow

    Initial Disclosure

    UNC6692 uses email bombing and Microsoft Teams impersonation to pose as IT helpdesk staff, pressure targets into clicking a fake spam-blocking patch link, and deploy the Snow malware suite. The dropper loads SnowBelt as a malicious Chrome extension on a headless Microsoft Edge instance, while SnowGlaze creates a WebSocket tunnel and SOCKS proxy path to SnowBasin, a Python-based backdoor that can run CMD or PowerShell, support remote shell access, data exfiltration, file download, screenshot capture, and file management, and enable later credential theft, lateral movement, and Active Directory harvesting with FTK Imager and LimeWire.

    Show sources