# UNC6692 Weaponizes Microsoft Teams Impersonation to Distribute SNOW Malware in Targeted Attacks


Threat intelligence researchers have identified a previously undocumented threat activity cluster designated UNC6692 that is exploiting a deceptively simple but highly effective social engineering tactic: impersonating IT help desk staff via Microsoft Teams to trick employees into accepting malicious chat invitations and installing a custom malware suite called SNOW.


The campaign represents a concerning evolution in credential theft and initial access techniques, combining platform trust exploitation with sophisticated social engineering to circumvent traditional security controls. Organizations using Microsoft Teams as their primary collaboration platform are particularly vulnerable to this attack vector.


## The Threat: UNC6692 and SNOW Malware


UNC6692 is a previously unknown threat cluster that has demonstrated operational sophistication and targeted attack capabilities. The group's primary methodology centers on social engineering via Microsoft Teams, using fake IT help desk personas to establish trust with potential victims before deploying custom malware.


The custom malware suite deployed by UNC6692 is identified as SNOW, which appears to function primarily as:


  • Information stealer — capturing credentials, browser data, and sensitive files
  • Lateral movement facilitator — establishing persistence and enabling further network compromise
  • Post-exploitation framework — providing attackers with remote access and command execution capabilities

    • ## Background and Context: The Persistence of Help Desk Impersonation


    This attack methodology is not novel, but its continued effectiveness underscores a critical security gap in many organizations. Social engineering remains one of the highest-impact attack vectors precisely because it targets human psychology rather than technical vulnerabilities.


    Why help desk impersonation works:


  • Authority and legitimacy — IT support staff have implicit trust within organizations
  • Urgency messaging — attackers frame requests as time-sensitive security concerns
  • Platform familiarity — Microsoft Teams is ubiquitous in enterprise environments
  • Multiple touch points — casual chat invitations feel less suspicious than emails
  • Bypass of email security — Teams messages often bypass email security gateways and threat intelligence filtering

    • Previous campaigns have leveraged similar tactics across platforms, including:


  • Impersonating IT support via phone and email — creating fake password reset requests
  • Fake Microsoft Teams meeting invitations — distributing malicious Office documents
  • LinkedIn and social media impersonation — building rapport before credential theft requests

    • ## Technical Details: The SNOW Malware and Attack Chain


    While specific technical details about SNOW remain limited in public disclosures, the malware appears to combine multiple capabilities typical of modern information stealers and remote access tools.


    Suspected SNOW capabilities include:


    | Capability | Purpose |

    |-----------|---------|

    | Credential harvesting | Extracting passwords from browsers, email clients, VPNs |

    | File enumeration and exfiltration | Identifying and stealing sensitive documents |

    | Persistence mechanisms | Establishing long-term foothold on compromised systems |

    | Lateral movement utilities | Facilitating network propagation and privilege escalation |

    | Command and control communications | Maintaining attacker access and receiving instructions |


    The malware is typically delivered through:


    1. Initial Teams message — appearing as a legitimate IT support notification

    2. Attachment or link — containing the first-stage payload (likely disguised as a security patch, VPN update, or system utility)

    3. User execution — victims run the malicious file, believing it necessary for system security

    4. Secondary payload — SNOW is installed, often with minimal user interface changes to maintain stealth


    ## The Attack Methodology: Social Engineering at Scale


    UNC6692's attack methodology follows a predictable but effective pattern:


    Phase 1: Reconnaissance and Impersonation Setup

  • Threat actors identify target organizations and typical IT help desk communication patterns
  • Create convincing Teams accounts mimicking legitimate IT personas
  • Gather publicly available information about organization structure and naming conventions

    • Phase 2: Initial Contact and Trust Building

  • Send Teams chat invitations framing urgent security concerns
  • Use messaging that creates a sense of urgency ("Your VPN access has been compromised," "Security update required immediately")
  • Exploit the informal nature of Teams chat to bypass security awareness training focused on email threats

    • Phase 3: Payload Delivery

  • Provide links or file attachments presented as security patches or configuration updates
  • Convince victims that running the file is necessary to secure their accounts or systems
  • Use legitimate-appearing file names and icons

    • Phase 4: Post-Exploitation

  • Once SNOW is installed, exfiltrate credentials and sensitive data
  • Use stolen credentials for lateral movement within the network
  • Maintain persistent access for long-term reconnaissance or further attack development

    • ## Implications for Organizations


    This threat has significant implications for enterprise security posture:


    Credential compromise at scale — Successful deployments of SNOW provide attackers with access credentials that enable them to move laterally throughout the organization, potentially reaching critical systems, databases, and intellectual property.


    Platform exploitation — The misuse of Microsoft Teams demonstrates how legitimate communication tools can be weaponized. Organizations cannot simply block Teams or remove it from their environment, yet it remains an attack surface.


    Defense evasion — Teams-based attacks often evade email security gateways and threat intelligence feeds, allowing malicious communications to reach users who would be protected by email filters.


    Supply chain and third-party risk — Compromised credentials can be used to impersonate trusted internal resources, potentially affecting third-party relationships, vendor integrations, and partner networks.


    Incident response complexity — Detecting compromise via Teams requires monitoring chat patterns, user behavior, and account anomalies that many organizations do not adequately track.


    ## Recommendations: Defending Against UNC6692 and Similar Threats


    Organizations should implement a multi-layered defense strategy:


    Technical Controls:


  • Endpoint Detection and Response (EDR) — Deploy agents capable of detecting suspicious process behavior, credential access attempts, and lateral movement
  • Network segmentation — Isolate critical systems and data repositories from general-use networks
  • Conditional access policies — Implement strict authentication requirements for Teams access, including MFA and device compliance
  • Threat intelligence integration — Subscribe to feeds about UNC6692 indicators of compromise (IOCs) and maintain updated detection rules
  • Monitor Teams API activity — Track unusual Teams bot creation, user impersonation patterns, and bulk chat invitations

    • Operational Controls:


  • Security awareness training — Educate employees about help desk impersonation tactics specific to Teams and other collaboration platforms
  • Verify requests out-of-band — Implement policies requiring employees to verify IT support requests through alternate channels (phone, in-person, established support tickets)
  • Credential hygiene — Enforce strong password practices, password managers, and limit credential reuse
  • Account monitoring — Track for unusual login patterns, geographic anomalies, and failed authentication attempts

    • Organizational Controls:


  • Incident response playbooks — Develop specific procedures for suspected Teams-based social engineering
  • Threat hunting — Proactively search for SNOW malware, unusual Teams activity, and credential theft indicators
  • Vendor communication — Clarify with IT leadership that legitimate IT support will never request users download and run files via Teams
  • Audit Microsoft Teams settings — Review guest access policies, external sharing settings, and bot creation permissions

    • ## Conclusion


    UNC6692's campaign demonstrates that sophisticated threat actors continue to exploit the gap between security technology and human psychology. While no organization can eliminate social engineering risk entirely, implementing robust technical controls, maintaining vigilant user education, and establishing clear verification procedures for support requests can substantially reduce exposure.


    As collaboration platforms become increasingly central to enterprise operations, security teams must extend their threat models to include platform-specific attack vectors and ensure that organizational trust in IT personnel is not weaponized against them.