Phishing awareness training has been around long enough that the attackers have just moved on. The new front door is Microsoft Teams, and it’s working.
Threat actors — likely former Black Basta affiliates operating as UNC6692 — have dropped email entirely. No suspicious links, no broken English. Just a tightly automated 12-minute sprint from inbox chaos to a persistent backdoor.
Initial access sequence
It starts with email bombing. The target receives 200–500 subscription confirmation emails in a few minutes — a deliberate denial-of-productivity attack designed to create the conditions for what comes next.
While they’re buried in notifications, a Teams chat arrives. Account name is usually Support or Help Desk (External). In recent campaigns I’ve tracked, attackers have been using compromised onmicrosoft.com tenants from legitimate organisations to blunt the “External” label — one less thing for the target to notice.
Chat initiations across different targets have been observed exactly 29 seconds apart. Someone built a framework for this.
RMM abuse & pretext
The fake engineer is helpful. They acknowledge the email storm, claim to have spotted a security anomaly, and ask for a quick diagnostic session.
Access usually comes via Quick Assist (Win + Ctrl + Q) or a pre-configured Supremo or AnyDesk client, delivered through a compromised SharePoint or OneDrive link to abuse the Microsoft trust boundary.
Files are named things like MailAccountWizard.jar or Mailbox Repair Utility v2.1.5. In several cases they’re not just lures — they’re the first-stage delivery mechanism for the SNOW suite.
The SNOW ecosystem
Once RMM access is established, the objective shifts from social engineering to persistence.
SNOWBELT is a JavaScript-based Chromium extension. Attackers launch msedge.exe with --load-extension, giving them a persistent backdoor inside the browser — capable of relaying commands and exfiltrating data without touching the endpoint in any way a traditional EDR is looking for.
SNOWGLAZE is a Python-based tunneller. It establishes an authenticated WebSocket connection to C2, typically used to stage PsExec or lateral movement tooling.
SNOWBASIN handles persistent remote command execution once everything else is in place.
By the time you kill the RMM session, the browser extension is already sitting there. The RMM was just the delivery mechanism.
Detection engineering
The detection signal is the sequence, not the individual tools.
Look for a spike in inbound external emails immediately followed by a Teams MemberAdded event within roughly 15 minutes. That pairing is the tell. Neither event alone is suspicious — together, they’re the whole attack compressed into two log lines.
On the endpoint, monitor for msedge.exe or chrome.exe launching with --load-extension from unusual paths — anything under AppData\Local\Temp is worth an alert. That’s not normal browser behaviour.
For SNOWGLAZE, flag WebSocket connections to non-standard IPs from Python-based executables.
// Detect browser extensions loading from Temp
// Set ago() to match your alert schedule frequency
DeviceProcessEvents
| where Timestamp > ago(1h)
| where FileName in~ ("msedge.exe", "chrome.exe")
| where ProcessCommandLine contains "--load-extension"
| where ProcessCommandLine contains "AppData\\Local\\Temp"
| extend RMMSpawned = InitiatingProcessFileName in~ (
"Supremo.exe", "AnyDesk.exe", "msra.exe",
"quickassist.exe", "ScreenConnect.exe", "TeamViewer.exe")
| project Timestamp, DeviceName, FileName, ProcessCommandLine, InitiatingProcessFileName, RMMSpawned
| sort by RMMSpawned desc, Timestamp desc
It’s a simple trick. That’s why it worked in 12 minutes. Stop letting “Support” in the front door.