Security researchers say a newly identified threat cluster, tracked as UNC6692, has been using Microsoft Teams to impersonate IT or help‑desk staff and trick employees into installing a modular malware toolkit known as SNOW. The campaign begins with mass “email bombing” to create urgency, then an attacker initiates a cross‑tenant Teams chat posing as support and guides the victim to run a purported fix-allowing the attackers to install browser extensions and remote‑access components that give persistent access to enterprise networks. (thehackernews.com)
According to published technical analysis, the playbook typically delivers a phishing page inside a Teams chat that serves an AutoHotkey script and a fake “Mailbox Repair” utility. That script installs a malicious Edge/Chromium extension (SNOWBELT) which in turn fetches additional payloads such as SNOWGLAZE and SNOWBASIN. These components create a tunneled channel into the victim environment, execute commands, and run a local backdoor while appearing as normal browser or administrative activity. (thehackernews.com)
Once inside, UNC6692 uses legitimate tools and workflows to stay hidden and move laterally. Observers report the group uses tunneling to reach backup servers, extracts credentials and memory (LSASS), and employs techniques such as Pass‑the‑Hash, FTK Imager to capture Active Directory data, and file‑sync tools like Rclone to exfiltrate data to cloud storage. By abusing trusted cloud services for delivery and command‑and‑control, the campaign blends into regular enterprise traffic and evades simple reputation‑based detection. (thehackernews.com)
Researchers also note a deliberate focus on high‑value targets: defenders have seen many incidents aimed at senior executives and other privileged users, where a successful social‑engineering interaction yields the quickest path to domain‑level access. Rapid, multi‑vector sequencing-email flood, Teams contact, guided remote session-compresses the attacker’s window and raises the stakes for incident response. (thehackernews.com)
Microsoft has published analysis and mitigation guidance on cross‑tenant help‑desk impersonation, warning that attackers rely on user‑approved remote access (Quick Assist and commercial RMM tools) and recommending layered controls such as conditional access, MFA, limiting remote‑support workflows, and endpoint mitigations. Separately, Microsoft is rolling out new Teams anti‑phishing features-like in‑app reporting and admin detection dashboards-intended to improve visibility and speed incident response. Organizations should expect phased rollouts and tune those controls when available. (microsoft.com)
Security teams and individual users should treat unsolicited external support requests as suspicious: verify help‑desk identities through known internal channels, restrict external cross‑tenant communication where business needs allow, disable or tightly control remote‑assistance tools, and reinforce phishing and collaboration‑platform training for executives. Industry coverage and vendor guidance stress that preventing these attacks requires treating collaboration apps as part of the enterprise attack surface, not just productivity tools. (microsoft.com)
Original Source: https://www.scworld.com/news/unc6692-impersonates-help-desk-employees-to-drop-snow-malware-via-teams
Category:
Tags:
Publish Date: 2026-04-25 00:53:00
