UNC6692 Hijacks Microsoft Teams to Deploy SNOW Malware Suite

Executive Summary

A previously undocumented threat cluster tracked as UNC6692 has been observed using social engineering via Microsoft Teams to deliver a custom malware suite dubbed SNOW on compromised hosts. According to reporting from The Hacker News, the group impersonates IT helpdesk employees, initiating unsolicited Teams chat invitations to trick victims into installing the malware. The campaign highlights a growing trend of attackers abusing collaboration platforms for initial access.

Technical Analysis

UNC6692 operators initiate contact by sending a Microsoft Teams chat request from an account masquerading as an internal IT helpdesk staffer. Once the target accepts the invitation, the attacker convinces the victim to download and execute a file that delivers the SNOW malware suite. The custom backdoor includes capabilities for credential theft, keylogging, and lateral movement within the target network, though full technical details of the payload have not been publicly disclosed by researchers.

The reliance on Microsoft Teams as a delivery vector is notable because the platform is widely used in enterprise environments, and helpdesk impersonation carries inherent plausibility. The attacker accounts used in the campaign appear to be externally compromised or created for the operation, as they are not tied to the victim organization's tenant. UNC6692's tactics align with techniques observed in other recent intrusions that abuse collaboration tools, such as those documented by Mandiant and Microsoft Threat Intelligence.

Mitigations & Recommendations

Organizations should enforce strict policies requiring employees to verify IT helpdesk contacts through secondary channels (e.g., email or in-person confirmation) before accepting unsolicited Teams chats or executing files from unknown senders. Administrators should restrict external Teams chat invitations to approved domains and enable logging for all Teams interactions. Deploy endpoint detection and response (EDR) rules to flag execution of unsigned binaries delivered via collaboration platforms.