Phishing awareness training has been around long enough that the attackers have just moved on. The new front door is Microsoft Teams, and it’s working.
UNC6692, likely former Black Basta affiliates, have dropped email entirely. The spam filter never sees it. There’s no broken English because the chat is timed and scripted. First contact to persistent backdoor in 12 minutes flat.
Initial access sequence
It starts with email bombing. The target gets 200–500 subscription confirmation emails inside a few minutes, enough to make the inbox useless. While they’re trying to work out what’s happening, a Teams chat arrives.
Account name is usually Support or Help Desk (External). In campaigns I’ve tracked, attackers are using compromised onmicrosoft.com tenants from legitimate organisations to blunt the “External” label. One less thing for the target to notice.
I’ve seen chat initiations land exactly 29 seconds apart across different targets. Someone built a framework for this.
RMM abuse & pretext
The fake engineer is helpful. They acknowledge the email storm, claim to have spotted a security anomaly, and ask for a quick diagnostic session.
Access comes via Quick Assist (Win + Ctrl + Q) or a pre-configured Supremo or AnyDesk client, delivered through a compromised SharePoint or OneDrive link. Microsoft trust boundary, abused.
Files are named things like MailAccountWizard.jar or Mailbox Repair Utility v2.1.5. In several cases, the file isn’t a lure. It’s first-stage delivery for the SNOW suite.
The SNOW ecosystem
Once they have RMM access, the social engineering is done. Now it’s about persistence.
SNOWBELT is a JavaScript-based Chromium extension. Attackers launch msedge.exe with --load-extension, which drops a persistent backdoor inside the browser. It can relay commands and exfiltrate data without touching the endpoint in any way a traditional EDR catches.
SNOWGLAZE is a Python-based tunneller. It opens an authenticated WebSocket connection to C2, typically used to stage PsExec or lateral movement tooling.
SNOWBASIN handles persistent remote command execution once the other two are in place.
By the time you kill the RMM session, the browser extension is already sitting there. The RMM was just the delivery mechanism.
Detection engineering
You’re looking for the sequence, not the tools.
Look for a spike in inbound external emails immediately followed by a Teams MemberAdded event within roughly 15 minutes. That pairing is the tell. Neither event alone is suspicious. Together, they’re the whole attack compressed into two log lines.
On the endpoint, monitor for msedge.exe or chrome.exe launching with --load-extension from unusual paths — anything under AppData\Local\Temp is worth an alert. That’s not normal browser behaviour.
For SNOWGLAZE, flag WebSocket connections to non-standard IPs from Python-based executables.
// Detect browser extensions loading from Temp
// Set ago() to match your alert schedule frequency
DeviceProcessEvents
| where Timestamp > ago(1h)
| where FileName in~ ("msedge.exe", "chrome.exe")
| where ProcessCommandLine contains "--load-extension"
| where ProcessCommandLine contains "AppData\\Local\\Temp"
| extend RMMSpawned = InitiatingProcessFileName in~ (
"Supremo.exe", "AnyDesk.exe", "msra.exe",
"quickassist.exe", "ScreenConnect.exe", "TeamViewer.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, RMMSpawned
| sort by RMMSpawned desc, Timestamp desc
It’s a simple trick. That’s why it worked in 12 minutes. Stop letting “Support” in the front door.