Unit 42: Microsoft Teams external-chat now a primary phishing surface for APT29 and UNC6692

Unit 42 reports that collaboration-platform phishing reached 42% of all phishing alerts in Cortex in the first four months of 2026, up from 30% in the preceding period, with Microsoft Teams external messaging the dominant vector (Unit 42, 2026-06-08). Two clusters dominate: Cloaked Ursa (APT29 / Midnight Blizzard) uses previously-compromised M365 tenants — often small-business accounts — to stand up IT-support-styled domains, then sends Teams messages requesting MFA approval or credential re-entry under an account-maintenance pretext. UNC6692 floods inboxes to manufacture urgency, then poses as IT support over Teams, ultimately delivering the SNOW suite — SNOWBELT (browser-extension backdoor), SNOWGLAZE (WebSocket tunneler) and SNOWBASIN (persistent backdoor) — after dumping LSASS via Task Manager (T1003.001) and moving laterally with Pass-the-Hash (T1550.002) (Mandiant, 2026-04-23). The root enabler is the default Teams configuration permitting unrestricted external-tenant messaging.

Why it matters to us: Hardening is configuration, not patching — restrict external access in the Teams Admin Center to explicitly-allowed partner domains and disable unmanaged/consumer-account chat. Detection concepts: Entra ID sign-in logs for logons originating from external M365 tenants; Teams activity logs for ExternalUserJoined events followed by rapid file/link shares; MDI alerts on MFA anomalies after cross-tenant contact. Extend AiTM-aware Conditional Access to Teams sign-in contexts.