UNC6692 Impersonates IT Helpdesk via Microsoft Teams to Deploy SNOW Malware

The rise of UNC6692 underscores a shift from classic email phishing to real‑time collaboration‑tool abuse. By masquerading as internal IT support in Microsoft Teams, the group exploits the trust employees place in help‑desk communications. This tactic, inherited from former Black Basta affiliates, is paired with a flood of spam emails that creates urgency, prompting executives to accept unsolicited chat invitations. The rapid 29‑second turnaround from email bombardment to Teams outreach demonstrates a highly coordinated social‑engineering playbook aimed at senior decision‑makers.

Technically, the attack chain is sophisticated yet leverages familiar tools. Victims are lured to a fake “Mailbox Repair” page that serves an AutoHotkey script from an AWS S3 bucket. The script installs SNOWBELT, a Chromium‑based extension, which then drops SNOWGLAZE—a Python tunneler—and SNOWBASIN, a persistent backdoor capable of command execution, screenshot capture, and self‑termination. By using legitimate remote‑monitoring utilities such as Quick Assist and Supremo, the actors blend malicious activity with normal admin traffic, while cloud‑hosted payloads bypass traditional network reputation filters. Subsequent lateral movement targets ports 135, 445, and 3389, employing PsExec, Pass‑The‑Hash, and tools like FTK Imager to harvest Active Directory data.

For defenders, the lesson is clear: collaboration platforms must be hardened as a first‑line defense. Organizations should enforce multi‑factor verification for external Teams contacts, restrict screen‑sharing and remote‑support sessions, and monitor for anomalous RMM tool installations. Deploying behavioral analytics that flag rapid credential‑harvesting dialogs or unexpected browser extensions can surface the SNOW ecosystem early. As threat actors continue to weaponize trusted SaaS services, a proactive, zero‑trust stance on Teams and other collaboration tools is essential to prevent foothold establishment and downstream ransomware attacks.