Why Your Teams Chat Isn't as Safe as You Think
Imagine an invitation from "IT Help Desk" pops up in your Microsoft Teams chat. For many, this carries an implicit trust. This trust is precisely what threat actor UNC6692 is exploiting, proving highly effective for malware delivery. This represents a social engineering technique (MITRE ATT&CK T1566 - Phishing) adapted to leverage the perceived security of internal communication platforms.
For security teams already operating under strain, this attack adds another layer of operational complexity by bypassing traditional email filters and targeting internal communication channels. This campaign succeeds not by exploiting a Teams zero-day, but by calculatingly abusing the trust users place in collaboration tools.
The Incident: UNC6692's Teams Takeover
In recent months, a previously undocumented threat group (UNC6692) has executed a campaign beginning with email bombing (MITRE ATT&CK T1566 - Phishing). The objective is not necessarily to elicit a click, but to overwhelm inboxes and induce frustration. During this period of heightened annoyance, an external account, impersonating an internal IT help desk, sends a Microsoft Teams chat invitation (MITRE ATT&CK T1566 - Phishing).
Observations indicate that these incidents disproportionately targeted executives and senior-level employees, accounting for 77% of observed incidents from March 1 to April 1, 2026, up from 59% in the first two months of 2026, according to ReliaQuest. Upon acceptance of the chat, the actor offers "IT support" to resolve the perceived spam issue.
Once the chat is accepted, UNC6692 typically proceeds in one of two ways. In some cases, victims are persuaded to install legitimate Remote Monitoring and Management (RMM) tools such as Quick Assist or Supremo Remote Desktop, granting direct access (MITRE ATT&CK T1219 - Remote Access Software). The more sophisticated vector, responsible for deploying the new "SNOW" malware, involves a phishing link.
How a "Mailbox Repair" Link Drops SNOW
Technically, the attack escalates when the threat actor sends a phishing link via Teams chat, presenting it as a "local patch" for the spam problem (MITRE ATT&CK T1566.002 - Phishing: Spearphishing Link). The landing page, titled "Mailbox Repair and Sync Utility v2.1.5," is designed to appear official.
Clicking this link downloads an AutoHotkey script (MITRE ATT&CK T1059 - Command and Scripting Interpreter), often hosted on a cloud storage service such as Amazon S3 (MITRE ATT&CK T1105 - Ingress Tool Transfer). This script performs initial reconnaissance (MITRE ATT&CK T1082 - System Information Discovery) and incorporates a gatekeeper function to ensure payload delivery only to intended targets, thereby evading sandboxes (MITRE ATT&CK T1497 - Virtualization/Sandbox Evasion) and establishing a targeted, rather than indiscriminate, delivery mechanism.
The phishing page may also feature elements designed to harvest mailbox credentials (MITRE ATT&CK T1552 - Unsecured Credentials), transmitting them to attacker-controlled infrastructure, potentially another cloud storage instance. This dual approach, combining malware deployment with credential theft, indicates a clear intent for deep system compromise.
The SNOW malware itself is a modular toolkit, comprising several components. One key element is SNOWBELT, a malicious Chromium-based browser extension, functioning as a JavaScript backdoor (MITRE ATT&CK T1176 - Browser Extensions). It achieves persistence by launching Microsoft Edge in headless mode with the --load-extension command, verifying Edge usage before proceeding. SNOWBELT then downloads additional components (MITRE ATT&CK T1105 - Ingress Tool Transfer), including SNOWGLAZE (a Python-based tunneler), SNOWBASIN (a persistent backdoor), other AutoHotkey scripts, and a ZIP archive with a portable Python executable and libraries. Its primary role is to receive commands and relay them to SNOWBASIN for execution (MITRE ATT&CK T1071.001 - Application Layer Protocol: Web Protocols). Using a headless browser extension for persistence is a subtle tactic, blending with legitimate browser activity.
The Python-based tunneler, SNOWGLAZE, establishes a secure, authenticated WebSocket tunnel between the victim's internal network and the attacker's Command-and-Control (C2) server (MITRE ATT&CK T1572 - Protocol Tunneling, T1071.001 - Application Layer Protocol: Web Protocols). This component is critical as it establishes a secure, obfuscated communication channel. This strategy leverages legitimate cloud infrastructure, allowing malicious activity to blend with high volumes of legitimate cloud traffic, bypassing many traditional network reputation filters.
Finally, SNOWBASIN, the persistent backdoor, operates as a local HTTP server on ports 8000, 8001, or 8002 (MITRE ATT&CK T1071.001 - Application Layer Protocol: Web Protocols). Its capabilities are consistent with a full-featured backdoor: remote command execution (via cmd.exe or powershell.exe) (MITRE ATT&CK T1059 - Command and Scripting Interpreter), screenshot capture (MITRE ATT&CK T1113 - Screen Capture), file upload/download (MITRE ATT&CK T1105 - Ingress Tool Transfer, T1041 - Exfiltration Over C2 Channel), and self-termination.
With initial access secured, UNC6692 quickly moves to use scripts to scan the local network for common ports (135, 445, 3389) (MITRE ATT&CK T1046 - Network Service Discovery), establish PsExec sessions via SNOWGLAZE (MITRE ATT&CK T1021.002 - Remote Services: SMB/Windows Admin Shares), and initiate RDP sessions via the SNOWGLAZE tunnel (MITRE ATT&CK T1021.001 - Remote Services: RDP). Privilege escalation often involves extracting LSASS process memory with Windows Task Manager using a local administrator account (MITRE ATT&CK T1003.001 - OS Credential Dumping: LSASS Memory). This can lead to Pass-The-Hash attacks against domain controllers using elevated user password hashes (MITRE ATT&CK T1550.002 - Use Alternate Authentication Material: Pass the Hash). Threat actors have been observed acquiring sensitive data, such as Active Directory database files (MITRE ATT&CK T1005 - Data from Local System), and exfiltrating it using tools like LimeWire or via legitimate cloud services like AWS S3 (MITRE ATT&CK T1041 - Exfiltration Over C2 Channel, T1567.002 - Exfiltration Over Web Service: Exfiltration to Cloud Storage).
The Impact: Weaponized Trust and Blended Threats
This campaign has a substantial practical impact, primarily by exploiting not a flaw in Microsoft Teams itself, but rather a sophisticated manipulation of the trust users place in the platform. Teams is often perceived as an implicitly trusted internal communication channel, unlike email, which typically benefits from robust URL filtering. This makes it a challenging attack vector.
UNC6692 bypasses traditional email security by initiating direct contact (MITRE ATT&CK T1566 - Phishing). Rather than relying on a zero-day, they exploit human psychology and the perceived safety of a platform designed for collaboration. This strategy, using legitimate services like AWS S3 for payload delivery and C2, complicates detection. Malicious traffic merges with the noise of everyday cloud operations.
This campaign demonstrates a clear investment in custom tooling. It represents a refinement of older email bombing and help desk impersonation tactics, but the shift to Teams as the delivery mechanism makes it particularly effective against contemporary defenses.
The Response: Empowering Users as a Defense Layer
Addressing this threat requires both technical controls and a focus on the human element. A foundational step involves tightening Microsoft Teams external access policies. Organizations should limit external messages and consider conditional access policies for Teams, configuring who can invite external users, who external users can chat with, and even blocking external domains entirely if cross-tenant collaboration is not a business requirement. Such measures directly mitigate the initial contact method (MITRE ATT&CK T1566 - Phishing) by disrupting the threat actor's ability to initiate the conversation.
Beyond technical controls, educating users, particularly executives and senior staff, on this specific threat model is paramount. They must understand that an "IT Help Desk" chat from an external account is a critical red flag, regardless of message urgency. Emphasize that IT will rarely, if ever, request a "patch" installation via a direct chat link, especially following an email bombing campaign. It's crucial to ensure users understand this distinction to counter the social engineering tactics (MITRE ATT&CK T1566).
Effective endpoint detection and response (EDR) solutions are also essential. The SNOW malware components generate detectable artifacts. EDR can identify AutoHotkey script execution (MITRE ATT&CK T1059), headless browser launches with --load-extension (MITRE ATT&CK T1176), Python-based tunneler activity (MITRE ATT&CK T1572), and local HTTP server operations (MITRE ATT&CK T1071.001). The focus should be on anomalous process behavior, not solely on known malware signatures, to detect these specific techniques.
Furthermore, monitoring cloud service logs is critical. Organizations should scrutinize AWS S3 access logs for unusual downloads or uploads, particularly from user endpoints. The threat actor's reliance on legitimate cloud infrastructure for payload delivery (MITRE ATT&CK T1105) and exfiltration (MITRE ATT&CK T1567.002) means that cloud security posture is as critical as network perimeter defenses.
Finally, incident response playbooks for collaboration platform compromise require re-evaluation. A Teams-initiated breach leading to lateral movement and data exfiltration differs significantly from a traditional email phishing incident. Response protocols must account for the unique aspects of Teams-based initial access and the subsequent post-exploitation activities (e.g., MITRE ATT&CK T1021, T1003, T1550).
This campaign underscores that sophisticated attacks often do not rely on exotic zero-days. They exploit user trust and leverage legitimate tools in unexpected ways. Protecting against such threats requires integrated security measures, combining robust technical controls with a well-informed, skeptical workforce.
