Defending Against Modern Social Engineering Campaigns: A Deep Dive into UNC6692's Tactics

Overview

In late 2025, Google Threat Intelligence Group identified a sophisticated intrusion campaign by a previously unknown threat actor tracked as UNC6692. This group employed persistent social engineering, a custom modular malware suite, and clever lateral movement to achieve deep network penetration. The campaign highlights the evolution of social engineering—specifically, abusing trusted collaboration platforms like Microsoft Teams to deliver custom malware. This tutorial provides a step-by-step defense-oriented analysis of the UNC6692 attack chain, helping security professionals recognize, investigate, and mitigate similar threats.

Prerequisites

• Basic knowledge of Windows operating system internals (startup folders, scheduled tasks).
• Familiarity with browser extensions and their security implications.
• Understanding of social engineering red flags (unsolicited help desk contacts, email floods).
• Access to endpoint detection and response (EDR) logs and proxy logs for investigation.
• Familiarity with tools like AutoHotkey and Chromium-based browsers.

Step-by-Step Defense Analysis

Step 1: Identify the Initial Vector – Email Flooding and Teams Phishing

UNC6692 began with a massive email campaign designed to overwhelm the target, creating urgency and confusion. Shortly after, the attacker initiated a Microsoft Teams chat, impersonating help desk staff and offering to assist with the email volume. Key red flag: The Teams invite came from an account outside the organization. Defenders should monitor for sudden increases in email traffic followed by unsolicited collaboration requests.

To detect this in network logs, look for external Teams invitations from unknown domains. Example query for proxy logs: url contains "teams.microsoft.com" AND origin != known_tenant.

Step 2: Trace the Infection Chain – AutoHotkey Download

The victim was prompted to click a link to install a "local patch" to stop email spamming. The URL pointed to an AWS S3 bucket hosting an HTML page: https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html. This page initiated the download of a renamed AutoHotKey binary along with an identically named AutoHotkey script. The script auto-executes because AutoHotkey looks for a script with the same name in the current directory.

Investigation: Hunt for AutoHotkey executables (AutoHotkey.exe or renamed) downloaded from improbable URLs. Check browser download history and S3 bucket access logs. The HTML page may contain obfuscated JavaScript that triggers the download.

Step 3: Examine the Malware Payload – SNOWBELT Browser Extension

The AutoHotkey script, though unrecovered by Mandiant, likely installed a malicious Chromium browser extension named SNOWBELT. This extension was not distributed through the Chrome Web Store but sideloaded using the --load-extension command-line flag. The code snippet below shows how it was launched with Edge in headless mode:

if !CheckHeadlessEdge(){
   try{
      taskService:=ComObject("Schedule.Service")
      taskService.Connect()
      rootFolder:=taskService.GetFolder("\")
      if FindAndRunTask(rootFolder){
         Sleep 10000
         if CheckHeadlessEdge(){
            ExitApp
         }
      }
   }
   Run 'cmd /c start "" "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --user-data-dir="%LOCALAPPDATA%\Microsoft\Edge\System Data" --headless=new --load-extension="%LOCALAPPDATA%\Microsoft\...'
}

Defense action: Monitor for Edge or Chrome processes started with --load-extension pointing to non-standard paths. Check for extensions in %LOCALAPPDATA%\..\Microsoft\Edge\System Data\.

Step 4: Analyze Persistence Mechanisms

UNC6692 established persistence in two ways:

1. Startup Folder: A shortcut to an AutoHotKey script was placed in the Windows Startup folder, ensuring it ran on each user logon.
2. Scheduled Task: The script verified that a scheduled task existed and would run if the browser extension was not active.

Check these: Use Autoruns or PowerShell to list startup items and scheduled tasks. Look for tasks with names mimicking legitimate software (e.g., "MicrosoftEdgeUpdate" or innocuous names).

Step 5: Detect Post-Exploitation Reconnaissance

Evidence from the AutoHotkey script (before its removal) showed reconnaissance commands being executed, likely collecting user information, network details, and credential stores. These commands may include whoami, net user, ipconfig, and WMI queries.

Defense: Enable command-line logging (Event ID 4688) and look for unusual parent processes—e.g., cmd.exe spawned by AutoHotkey.exe. Also monitor for lateral movement using RDP or SMB.

Step 6: Implement Mitigation Strategies

Based on this attack chain, implement the following controls:

• Block external Teams invitations by default; require IT to explicitly allow.
• Restrict executable downloads from cloud storage (e.g., S3) to specific approved domains.
• Disable AutoHotkey execution via AppLocker or WDAC if not needed.
• Monitor for browser launchers with --load-extension flags.
• Train employees to verify help desk contacts through separate channels (phone, ticketing system).
• Use EDR to detect anomalous scheduled task creation and startup modifications.

Common Mistakes

• Over-reliance on trust: Employees rarely question a help desk message, especially after an email flood. Always verify via a secondary channel.
• Ignoring external collaboration invites: Many organizations allow external Teams access without restrictions. This should be limited to approved tenants.
• Assuming AutoHotkey is harmless: While a legitimate autohotkey tool, attackers often abuse it for scripting malware. Monitor its usage closely.
• Not logging command-line sequences: Without detailed command-line audit, reconnaissance steps remain invisible.

Summary

The UNC6692 campaign demonstrates a dangerous evolution in social engineering, combining email flooding, Teams phishing, and custom malware delivered via AutoHotkey scripts. Defenders must monitor for these specific patterns—external Teams invites, unexpected downloads from cloud storage, and browser extensions loaded from non-standard directories. By understanding the full attack chain, organizations can better train users and tune detection rules to block similar intrusions.