← Back to Blog
Security Briefing4 min read2026-04-26

Security Briefing, April 26 2026: Teams-Delivered Snow Malware, ADT’s ShinyHunters Breach, and LMDeploy’s 13-Hour Exploit Window

Today’s pattern is blunt: attackers are abusing trusted chat, trusted SaaS identity, and trusted AI infrastructure faster than most teams can patch or verify.


Top line: Three stories deserve immediate attention this morning: a Microsoft Teams social-engineering chain that ends in domain compromise, a real-world vishing-to-SaaS breach at ADT, and an AI-serving SSRF bug that was probed in under half a day.


1. UNC6692 turns Microsoft Teams helpdesk trust into a full Snow malware chain

Google’s Mandiant says UNC6692 is using email bombing and Microsoft Teams impersonation to pressure employees into installing a fake anti-spam patch. The victim actually gets a dropper that launches the Snow toolset: the SnowBelt browser extension, the SnowGlaze tunneler, and the SnowBasin Python backdoor. From there, the operators dump LSASS, move laterally, reach domain controllers, and exfiltrate Active Directory material. This is not just another phishing email. It is a chat-native intrusion path built to look like internal support.


2. ADT confirms a breach after ShinyHunters allegedly phished an Okta-backed employee account

ADT says attackers accessed and stole customer and prospective-customer information, including names, phone numbers, addresses, and, in a smaller set of cases, dates of birth and the last four digits of SSNs or tax IDs. ShinyHunters told BleepingComputer the intrusion started with a vishing attack against an employee’s Okta SSO account and then expanded into Salesforce. Whether every attacker claim holds or not, the operational lesson is obvious: once a trusted SaaS identity falls, connected business platforms become the blast radius.


3. LMDeploy shows the AI exploit window is collapsing to hours

The LMDeploy SSRF flaw, CVE-2026-33626, was reportedly exploited within 12 hours and 31 minutes of disclosure. Attackers used the vision-language image loader to probe AWS metadata, Redis, MySQL, local admin surfaces, and an external callback endpoint. That matters because LMDeploy is exactly the kind of LLM-serving component teams deploy quickly and review lightly. When advisories hand over the root cause and affected code path, attackers do not wait for your next sprint.


What security teams should do today

  1. Lock down Teams-based support workflows and re-verify any recent remote-assistance events.
  2. Run a SaaS identity incident review if your environment relies on Okta, Salesforce, or similar high-trust connectors.
  3. Inventory exposed or reachable AI-serving components and patch LMDeploy before the next scan wave finds them.
  4. Use this morning to close trust gaps, not just tickets.

Sources


Bottom line: Today’s pattern is blunt: attackers are abusing trusted chat, trusted SaaS identity, and trusted AI infrastructure faster than most teams can patch or verify.

Find the trust breaks before they become incidents

KENSAI helps teams surface exposed attack paths across identity workflows, SaaS platforms, collaboration tools, and AI infrastructure before attackers turn normal business trust into breach access.

Free Scan →

Stay sharp.

🗡️ KENSAI Security Team