A threat actor tracked as UNC6692 has been using email bombing combined with Microsoft Teams impersonation to trick victims into installing a sophisticated malware framework called Snow. The attackers overwhelm targets with emails, then pose as IT support offering a fake mailbox repair tool that actually deploys a browser-based backdoor, allowing them to harvest credentials, move laterally through networks, and steal Active Directory data. Google's Threat Intelligence Group warns that by hosting malicious components on trusted cloud platforms like AWS, the attackers can bypass traditional security filters and blend into legitimate traffic.