Hackers Flooded Inboxes With Spam, Then Called on Teams—The Chrome Extension They Installed Stole the Entire Active Directory

It Started With a Wall of Spam

In late December 2025, employees at an enterprise organization noticed their inboxes filling with hundreds of unsolicited emails. The volume was intentional. A threat group tracked as UNC6692 was running what researchers call an email bombing campaign, designed not to deliver malware but to create chaos and urgency.

Minutes later, a message arrived on Microsoft Teams. The sender appeared to be from the company's IT help desk, offering to install a patch that would stop the email spam. The employee clicked the link. Within hours, the attackers had the keys to the entire network.

Google's Threat Intelligence Group and Mandiant published the full attack chain on April 25, 2026, revealing a modular malware ecosystem they named SNOW. Between March and April 2026, 77% of observed UNC6692 incidents targeted senior level employees.

The Attack Chain: From Inbox to Domain Controller

The attack followed a precise sequence. First, the email bombing created the problem. Then the Teams message offered the solution. The phishing link led to a page hosted on an AWS S3 bucket, disguised as a "Mailbox Repair and Sync Utility." The page even forced victims to open it in Microsoft Edge for "compatibility," ensuring the attack ran in the right browser environment.

The page used a psychological trick during credential harvesting: it rejected the first two password attempts as "incorrect," prompting victims to re-enter their credentials. This gave the attackers two copies of the password while reinforcing the page's legitimacy. Meanwhile, a fake progress bar displayed messages like "Parsing configuration data" and "Checking mailbox integrity" to keep the victim engaged while their credentials were exfiltrated to an attacker controlled S3 bucket.

The final payload was not a traditional executable. It was a Chrome browser extension.

SNOWBELT: The Invisible Chrome Extension

The core of the SNOW malware suite is SNOWBELT, a JavaScript based backdoor delivered as a Chromium browser extension. It masquerades under names like "MS Heartbeat" or "System Heartbeat" and runs on a headless instance of Microsoft Edge, meaning the victim never sees it in their browser.

SNOWBELT is far more sophisticated than typical malicious extensions that steal login cookies or harvest credentials. It uses a time based domain generation algorithm to rotate its command and control servers every 30 minutes, encrypts all communications with AES-GCM, and maintains persistence through scheduled tasks and Windows Startup folder shortcuts.

The extension supports a full command set: remote shell execution, screenshot capture, file downloads, browser sandbox evasion through native messaging, and data exfiltration to attacker controlled S3 buckets. It also monitors whether downloaded payloads trigger antivirus alerts, reporting back if a file is flagged as infected so attackers can adjust their tools.

The Supporting Cast: SNOWGLAZE and SNOWBASIN

SNOWBELT does not work alone. Two companion tools complete the ecosystem:

• SNOWGLAZE is a Python based tunneler that creates a secure WebSocket connection between the victim's internal network and the attackers' infrastructure on Heroku. It supports SOCKS proxy operations, allowing attackers to route any TCP traffic through the compromised host as if they were sitting on the corporate network.
• SNOWBASIN is a Python based backdoor that runs a local HTTP server on ports 8000 through 8002. It executes commands, captures screenshots, reads and exfiltrates files, and downloads additional payloads. SNOWBELT relays attacker commands to SNOWBASIN through localhost, and results flow back through the SNOWGLAZE tunnel.

Together, the three tools create a layered architecture: SNOWBELT provides the initial foothold and browser level access, SNOWBASIN handles system level operations, and SNOWGLAZE tunnels everything through legitimate cloud services to avoid detection.

From Browser to Full Domain Compromise

Once inside, UNC6692 moved fast. The attackers scanned the internal network for SMB and RDP services, used pass the hash techniques with credentials dumped from LSASS memory, and laterally moved to backup servers and domain controllers. On the domain controller, they used FTK Imager to extract the Active Directory database, the Security Account Manager, and critical registry hives.

The exfiltration channel was LimeWire, a file transfer tool. The entire progression from a browser extension installed through a social engineering trick to complete domain compromise happened through legitimate cloud services: AWS S3 for payloads and data staging, Heroku for command and control, and WebSocket connections that blended into normal encrypted traffic.

Why Email Bombing Is the New First Move

UNC6692's use of email bombing as the opening gambit is a growing trend. Instead of trying to sneak a single phishing email past filters, attackers deliberately flood the inbox to create a support ticket that they then answer themselves through Teams or phone calls. The victim is primed to accept help because the problem is real.

This technique exploits the same trust gap that makes voice phishing so effective against enterprises. When someone from "IT" reaches out during a crisis, the natural response is to cooperate rather than verify. UNC6692 takes it further by channeling that trust into a browser extension installation, a delivery mechanism that most security tools are not designed to monitor.

How to Protect Yourself

The UNC6692 campaign exploits a fundamental weakness: people trust browser extensions and workplace communication tools. Defending against this attack requires action at multiple levels:

• Verify IT contacts out of band. If someone messages you on Teams claiming to be IT support, call your help desk directly using a known number. Do not click links in the Teams message.
• Monitor browser extension installations. Enterprise security teams should track and restrict which extensions can be installed, especially those loaded outside the Chrome Web Store.
• Watch for email bombing. A sudden flood of spam emails followed by an unsolicited Teams or phone call offering help is a signature pattern. Report it immediately.
• Enable MFA everywhere. Even if credentials are harvested, MFA prevents attackers from using them to log in.
• Audit headless browser processes. SNOWBELT runs on a hidden Edge instance. Security tools should flag unexpected headless browser processes with network connections.