Hackers impersonate Microsoft Teams help desk to breach corporate networks

Title: Hackers impersonate Microsoft Teams help desk to breach corporate networks

URL Source: https://therecord.media/microsoft-teams-hackers-mandiant

Published Time: 2026-04-27T13:33:13.623Z

Markdown Content: # Hackers impersonate Microsoft Teams help desk to breach corporate networks | The Record from Recorded Future News

* [Leadership](https://therecord.media/news/leadership) * [Cybercrime](https://therecord.media/news/cybercrime) * [Nation-state](https://therecord.media/news/nation-state) * [Influence Operations](https://therecord.media/news/influence-operations) * [Technology](https://therecord.media/news/technology)

* [Cyber Daily®](https://therecord.media/subscribe) * [Click Here Podcast](https://therecord.media/podcast)

Go

Subscribe to The Record

[✉️ Free Newsletter](https://therecord.media/subscribe)

Image: Dimitri Karastelev / Unsplash

[Daryna Antoniuk](https://therecord.media/author/daryna-antoniuk)April 27th, 2026

* [News](https://therecord.media/) * [News Briefs](https://therecord.media/) * [Cybercrime](https://therecord.media/news/cybercrime)

* * * * * *

Get more insights with the

Recorded Future

Intelligence Cloud.

[Learn more.](https://www.recordedfuture.com/platform?mtm_campaign=ad-unit-record)

# Hackers impersonate Microsoft Teams help desk to breach corporate networks

Hackers are impersonating Microsoft Teams help desk workers to trick victims into installing data-stealing malware, according to a new report from Mandiant.

The campaign, attributed to a newly tracked threat cluster known as UNC6692, combines email flooding, phishing messages and malicious browser extensions to gain access to corporate systems, researchers at the Google-owned cybersecurity company [said](https://cloud.google.com/blog/topics/threat-intelligence/unc6692-social-engineering-custom-malware).

The operation begins with a large wave of emails designed to overwhelm a targeted inbox, after which the attacker reaches out via Microsoft Teams using an account outside the victim’s organization, posing as an IT support worker offering help with the email disruption.

During the conversation, the victim is instructed to install what appears to be a “patch” meant to stop the spam. Clicking the link opens a website masquerading as a “Mailbox Repair Utility,” prompting the user to download a script that ultimately installs a malicious browser extension called SnowBelt, according to Mandiant.

SnowBelt functions as a backdoor that allows […]

[… 1,444 Zeichen — nächste Zone: keyword-dense paragraphs …]

* [Hackers impersonate Microsoft Teams help desk to breach corporate networks April 27th, 2026](https://therecord.media/microsoft-teams-hackers-mandiant) * [ADT says customer data stolen in cyber intrusion April 24th, 2026](https://therecord.media/ADT-data-breach-cyberattack) * [Norway's prime minister proposes ban on social media access for young teens April 24th, 2026](https://therecord.media/norway-prime-minister-proposes-social-media-ban-for-young-teens) * [Surveillance companies exploiting telecom system to spy on targets’ locations, research shows April 23rd, 2026](https://therecord.media/surveillance-companies-exploiting-telecom-systems-to-track-location) * [China-linked hackers targeted Mongolian government using Slack, Discord for covert communications April 23rd, 2026](https://therecord.media/china-linked-hackers-target-mongolian-gov-slack-discord) * [Hackers deployed wiper malware in destructive attacks on Venezuela’s energy sector April 22nd, 2026](https://therecord.media/hackers-venezuela-wiper-malware-oil) * [EU targets two Russian propaganda networks with new sanctions April 21st, 2026](https://therecord.media/eu-targets-russian-propaganda-networks-sanctions) * [Elon Musk fails to appear for questioning by French police over sexualized AI images on X April 20th, 2026](https://therecord.media/elon-musk-avoids-questioning-french-police-x-images-scandal) * [Cyberattack at French identity document agency may have exposed personal data April 20th, 2026](https://therecord.media/france-cyberattack-agency-passports)

* * * * * […]

Another trick targets user behavior during login attempts. The credential-harvesting script deliberately rejects the first two password submissions, prompting […]

“Th […]

[… 714 Zeichen — nächste Zone: tail …]

## [Emerging Enterprise Security Risks of AI ](https://www.recordedfuture.com/research/emerging-enterprise-security-risks-of-ai)

## [Iran War: Future Scenario and Business Implications ](https://www.recordedfuture.com/research/iran-war-future-scenarios)

## [Understanding and Anticipating Venezuelan Government Actions ](https://www.recordedfuture.com/research/understanding-and-anticipating-venezuelan-government-actions)

* * * * * *

* [Privacy](https://www.recordedfuture.com/privacy-policy) * [About](https://therecord.media/about) * [Contact Us](https://therecord.media/contact)

© Copyright 2026 | The Record from Recorded Future News