What You Need to Understand the Attack
Before diving into the steps, it's important to know the key components the attackers used:
- Microsoft Teams access – an external account to send chat invitations
- AWS S3 bucket – to host malicious files (HTML, AutoHotKey binary, script)
- AutoHotKey – legitimate scripting tool repurposed for malware execution
- A Chromium browser extension (SNOWBELT) – custom-built, not from Chrome Web Store
- Windows Startup folder and Scheduled Tasks – for persistence
Step 1: Flood the Victim with Emails
In late December 2025, UNC6692 launched a large email campaign aimed at overwhelming the target. The goal was to create a sense of urgency and distraction, making the victim more likely to accept help from someone posing as IT support.
Key tactic: The sheer volume of emails forced the victim to seek assistance, setting the stage for the next step.
Step 2: Impersonate IT Helpdesk via Microsoft Teams
Shortly after the email barrage, the attacker sent a phishing message through Microsoft Teams, pretending to be helpdesk personnel. The message offered to help reduce the spam volume and included a link to a 'local patch'.
The chat invitation came from an account outside the organization, but the attacker exploited the victim's trust in the helpdesk role and the urgency of the situation.
Step 3: Lure the Victim to Click a Malicious Link
The Teams message included a URL pointing to an AWS S3 bucket hosted HTML page. The link appeared legitimate, describing itself as 'Microsoft Spam Filter Updates' and urging installation of a 'local patch' to protect the account from spamming.
When clicked, the browser opened update.html?email=<victim email>, which triggered the download of a renamed AutoHotKey binary and a script file sharing the same name.
Step 4: Execute AutoHotKey with the Malicious Script
AutoHotKey has a built-in feature: if the executable and a script file have the same name and reside in the same directory, the script runs automatically without extra command-line arguments. The attackers exploited this to launch their code silently.
Although the initial AutoHotKey script was not recovered by Mandiant, evidence shows it performed:
- Initial reconnaissance commands
- Installation of the SNOWBELT Chromium browser extension
- Setup for persistence mechanisms
Step 5: Deploy the SNOWBELT Browser Extension
SNOWBELT is a custom malicious Chromium extension that was not distributed through the Chrome Web Store. It likely allowed remote control of browser activity, credential theft, or data exfiltration. The extension was loaded using a specific Edge browser command with a custom user data directory.
Step 6: Establish Persistence
The attackers used multiple methods to ensure SNOWBELT and the malicious infrastructure remained active after a reboot:
- Windows Startup folder: A shortcut to an AutoHotKey script was added, which verified the extension was running.
- Scheduled Task: A task was created to run the script periodically, checking for the headless Edge process running the extension.
The AutoHotKey script contained logic to search for the existing scheduled task and, if found, execute the browser command to load SNOWBELT in a headless Edge instance.
Tips for Defenders
- Train users to verify IT contacts: Encourage employees to independently verify any unsolicited helpdesk messages, especially from external accounts.
- Monitor for anomalous Teams invitations: Look for invites from outside the organization, especially those with urgent language or links.
- Restrict execution of AutoHotKey: Consider blocking or limiting AutoHotKey via application whitelisting if it's not essential for business.
- Audit browser extensions: Monitor for unauthorized extensions, especially those not from official stores.
- Review scheduled tasks and startup items: Regularly check for unexpected tasks or shortcuts that launch scripts or browsers in headless mode.
- Enable logging and alerting: Use security tools to detect abnormal email volumes, Teams messages, and file downloads from unusual cloud storage buckets.
Understanding each step of the UNC6692 campaign helps defenders anticipate similar attacks and fortify their defenses against social engineering chains.