Hackers are now switching their style. It doesn’t begin with a suspicious email anymore. No strange links, no obvious red flags. Just a message on Microsoft Teams, something that looks routine, almost reassuring. “Hi, this is IT support. We’ve noticed an issue with your system.” And that’s exactly where the breach begins.
A newly tracked threat group, UNC6692, identified by threat intelligence teams including Mandiant, has been quietly exploiting that moment of trust, slipping into organizations not by breaking systems, but by blending into them. Instead of targeting vulnerabilities in code, they’re targeting people, using Teams as their entry point and impersonating internal helpdesk staff with unsettling precision.
In many cases, the attack actually starts earlier, long before that Teams message appears. Victims are first hit with a wave of spam emails, flooding their inboxes and creating confusion. Then, almost on cue, a message arrives on Teams from “IT support,” offering to fix the issue. It feels helpful, timely, and legitimate. And that’s exactly the point.
The attackers often operate through external or compromised tenant accounts, taking advantage of the fact that many organizations allow communication from outside their network on Teams. It’s a small configuration choice, but one that quietly opens the door.
Once the conversation begins, the attack unfolds gently. There’s no pressure, no obvious threat, just guidance. Just a quick fix, a script to run, and a request to connect. In some cases, victims are led to download disguised payloads, including AutoHotkey scripts or PowerShell-based tools that begin reconnaissance almost immediately. In others, they’re guided to grant remote access through legitimate tools like Quick Assist, effectively handing over control without realizing it.
From there, the attackers don’t rush. They move like insiders. Using trusted system utilities and administrative tools, a technique often referred to as “living off the land”, they navigate laterally across the network. No obvious malware, no alarms. Just an activity that looks, on the surface, like routine IT work.
What they’re ultimately after is more than just access. These intrusions are often designed to establish persistence, harvest credentials, and quietly map the environment, sometimes paving the way for larger objectives like data exfiltration or even ransomware deployment later on.
What makes this campaign particularly unsettling is how targeted it is. Between March and April 2026, nearly 77% of observed attacks focused on senior employees, people with broader access, higher privileges, and more influence over critical systems. The kind of accounts that open more doors, faster. There’s no loud disruption, no immediate crash. Just a quiet presence, expanding.
And that’s the shift this attack represents. Cyberattacks are no longer just about exploiting systems, they’re about mimicking behavior. Conversations instead of code. Trust instead of technical flaws. The attackers don’t need to break in if they can simply be invited.
Microsoft has warned that these intrusions are particularly difficult to detect because they rely almost entirely on legitimate tools and everyday workflows. The activity doesn’t look malicious, it looks like work.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn, Youtube and Instagram to keep the spark alive.
