# UNC6692 Exploits Microsoft Teams Trust: New Social Engineering Campaign Deploys Custom SNOW Malware


A previously undocumented threat activity cluster designated UNC6692 has been actively conducting targeted intrusions using sophisticated social engineering tactics leveraging Microsoft Teams, according to new security research. The group deploys a custom malware suite known as SNOW to compromise target systems, relying on convincing impersonation of IT helpdesk personnel to initiate contact with victims.


The campaign represents a growing trend of threat actors exploiting legitimate communication platforms as attack vectors, leveraging the trust organizations place in internal IT support channels to bypass traditional security awareness defenses.


## The Threat: UNC6692 Campaign Overview


UNC6692 represents a notable addition to the threat landscape due to its reliance on human-centric social engineering rather than technical exploits. The group has been observed targeting organizations across multiple sectors, though specific victim details remain limited in initial reporting.


Key characteristics of UNC6692 operations:


  • Primary Attack Vector: Microsoft Teams impersonation campaigns
  • Social Engineering Approach: Impersonating internal IT helpdesk and support personnel
  • Initial Access Method: Convincing targets to accept Teams chat invitations from spoofed accounts
  • Payload Delivery: Custom SNOW malware suite
  • Target Industries: Multi-sector (specific verticals under investigation)

    • The campaign demonstrates sophisticated operational security, with threat actors investing effort in crafting believable impersonation scenarios rather than relying on crude phishing tactics.


    ## Attack Methodology: How the Social Engineering Works


    The attack chain begins with reconnaissance and identity research. UNC6692 operators conduct preliminary research on target organizations to identify IT department structure, common support workflows, and employee naming conventions.


    The typical attack sequence follows this pattern:


    1. Reconnaissance — Threat actors gather intelligence on target organization's IT support structure, employee names, and internal communication practices through open-source intelligence (OSINT)


    2. Account Creation — Attackers establish Microsoft Teams or Microsoft 365 accounts designed to closely mimic legitimate IT support personnel, using similar naming conventions or slight variations of actual employee names


    3. Initial Contact — Victims receive unsolicited Teams chat invitations appearing to come from internal IT helpdesk staff with messages referencing legitimate business contexts (system updates, security patches, access issues)


    4. Trust Exploitation — The impersonation exploits organizational trust in IT support channels; employees are conditioned to accept and respond to IT helpdesk requests without extensive verification


    5. Payload Delivery — Once communication is established, attackers distribute malware either through downloadable links, file attachments, or direct execution on victim systems


    ## Microsoft Teams as an Attack Vector


    Microsoft Teams' design—optimized for rapid, frictionless communication within enterprises—inadvertently creates security gaps when adversaries exploit it for social engineering.


    Why Teams is particularly effective for this attack:


    | Factor | Impact |

    |--------|--------|

    | Internal Trust | Teams is treated as trusted internal communication; invitation acceptance barriers are low |

    | Account Flexibility | External accounts can be created and configured to mimic internal names |

    | Notification Fatigue | Employees receive numerous Teams invitations daily, reducing scrutiny |

    | Mobile Access | Chat requests may be reviewed on mobile devices with reduced context visibility |

    | File Sharing | Native file sharing capabilities lower user suspicion of document downloads |

    | Limited Verification | Display names alone don't conclusively prove identity without additional checks |


    Organizations have historically invested in email security (spam filters, authentication, sandboxing) but often treat Teams with a lighter security posture, assuming internal communications are inherently trustworthy.


    ## Technical Details: The SNOW Malware Suite


    SNOW represents a custom-developed malware platform, suggesting UNC6692 maintains dedicated development resources. Limited technical details have been publicly disclosed, but available information indicates broad functionality.


    Suspected SNOW capabilities may include:


  • Credential harvesting — Capture local and cached credentials for lateral movement
  • Command and control communication — Receive instructions and exfiltrate data via encrypted channels
  • Privilege escalation — Exploit local vulnerabilities to gain administrative access
  • Lateral movement tools — Spread malware to additional systems on the network
  • Data exfiltration — Access and transmit sensitive files and databases
  • Persistence mechanisms — Maintain access across reboots and system updates

    • The malware's custom nature suggests UNC6692 may target specific victim environments with tailored capabilities rather than deploying commodity malware.


    ## Implications for Organizations


    This campaign carries significant implications for enterprise security strategies and assumptions about threat vectors.


    Primary concerns:


  • Defense Blind Spots — Many organizations invest heavily in perimeter defense and email security while underprotecting internal communication platforms
  • Social Engineering Effectiveness — Human trust remains the weakest security link; technical controls alone cannot prevent compromises rooted in social manipulation
  • Supply Chain Risk — Compromised systems may serve as staging points for attacks against partner organizations
  • Credential Compromise — Successful intrusions provide attackers with legitimate credentials and access tokens for sustained presence
  • Detection Evasion — Attacks originating from Teams appear legitimate in email and network logs, complicating incident detection

    • Organizations should recognize that sophisticated threat actors now view internal communication platforms as high-value attack vectors rather than trusted infrastructure.


    ## Defensive Recommendations


    Organizations can implement layered defenses to mitigate the specific tactics employed by UNC6692:


    Technical Controls:


  • Identity Verification Enhanced — Implement multi-factor authentication (MFA) for Teams and require additional identity verification for high-risk communications
  • Teams Security Policies — Configure policies restricting external account invitations or requiring manager approval for new chat relationships
  • Device Monitoring — Deploy endpoint detection and response (EDR) solutions to identify malware execution and suspicious process behavior
  • Network Segmentation — Isolate critical systems to limit lateral movement following initial compromise
  • Data Exfiltration Prevention — Monitor and restrict large data transfers from endpoints

    • Operational Procedures:


  • IT Support Verification — Establish standardized verification procedures for helpdesk requests (call-back verification, internal ticket systems)
  • Employee Training — Conduct security awareness training emphasizing verification of support requests through alternate channels
  • Teams Audit Logging — Enable comprehensive logging of Teams activity to detect suspicious conversations and file sharing
  • Incident Response Drills — Practice response procedures for potential social engineering incidents

    • Organizational Measures:


  • Communication Policy Updates — Establish clear policies requiring IT support requests to originate from verified internal channels or ticketing systems
  • Help Desk Procedures — Train support staff to be suspicious of requests that bypass normal workflows
  • Zero Trust Architecture — Assume compromise and implement microsegmentation even for internal communications

    • ## Recommendations for Incident Response


    Organizations concerned about potential UNC6692 targeting should:


    1. Audit Teams accounts and external access for unauthorized or suspicious accounts

    2. Review Teams audit logs for unrecognized invitation activity

    3. Hunt for SNOW malware indicators of compromise on endpoints

    4. Verify endpoint security tool detections and behavioral analytics

    5. Implement additional MFA or conditional access policies around Teams

    6. Report suspected intrusions to law enforcement and relevant information sharing communities


    ## Conclusion


    The UNC6692 campaign demonstrates that threat actors continue to evolve beyond technical exploitation toward sophisticated social engineering campaigns targeting trusted internal communication infrastructure. Organizations must expand security investments beyond traditional perimeter defense to include protection for internal collaboration platforms, endpoint security, and employee security awareness.


    As Microsoft Teams and similar platforms become integral to business operations, they will inevitably attract adversary attention. Security teams should treat internal communication platforms with the same rigor applied to external-facing systems, implementing verification procedures and monitoring controls that assume sophisticated threat actors will exploit user trust.


    Human-centric attacks remain among the highest-confidence compromise vectors available to determined adversaries—organizations that acknowledge this reality and implement compensating controls will be significantly better positioned to resist campaigns like those conducted by UNC6692.