A previously undocumented threat activity cluster known as UNC6692 has been observed leveraging social engineering tactics via Microsoft Teams to deploy a custom malware suite on compromised hosts. "As with many other intrusions in recent years, UNC6692 relied heavily on impersonating IT helpdesk employees, convincing their victim to accept a Microsoft Teams chat invitation from an account outside their organization," Google-owned Mandiant said in a report published today. UNC6692 has been attributed to a large email campaign that's designed to overwhelm a target's inbox with a flood of spam emails, creating a false sense of urgency. The threat actor then approaches the target over Microsoft Teams by sending a message claiming to be from the IT support team to offer assistance with the email bombing problem. It's worth noting that this combination of bombarding a victim's email inbox followed by Microsoft Teams-based help desk impersonation has been a tactic long embraced by former Black Basta affiliates. Despite the group shutting down its ransomware operations early last year, the playbook has witnessed no signs of slowing down. In a report published last week, ReliaQuest revealed that the approach is being used to target executives and senior-level employees for initial access into corporate networks for potential data theft, lateral movement, ransomware deployment, and extortion. In some cases, chats were initiated just 29 seconds apart. The goal of the conversation is to trick victims into installing legitimate remote monitoring and management (RMM) tools like Quick Assist or Supremo Remote Desktop to enable hands-on access, and then weaponize it to drop additional payloads. "From March 1 to April 1, 2026, 77% of observed incidents targeted senior-level employees, up from 59% in the first two months of 2026," ReliaQuest researchers John Dilgen and Alexa Feminella said. "This activity demonstrates that a threat group’s most effective tactics can long outlive the group itself." The attack chain detailed by Mandiant, on the other hand, deviates from this approach as the victim is instructed to click on a phishing link shared via Teams chat to install a local patch to remediate the spam issue. Once it's clicked, it leads to the download of an AutoHotkey script from a threat actor-controlled AWS S3 bucket. The phishing page is named "Mailbox Repair and Sync Utility v2.1.5." The script is designed to perform initial reconnaissance, and then install