A newly identified threat group is targeting organizations by impersonating IT helpdesk staff through Microsoft Teams to deliver custom malware. The activity cluster, tracked as UNC6692, has been observed using social engineering tactics to compromise corporate networks.
According to cybersecurity researchers, the attackers initiate contact by sending a Microsoft Teams chat invitation from an account designed to look like a legitimate IT support employee. Once the victim accepts the invitation, the conversation is used to trick the user into downloading malware.
Social Engineering via Collaboration Platforms
The UNC6692 group relies on a technique that exploits trust in internal communication tools. By posing as helpdesk personnel, the attackers aim to bypass traditional security warnings that users might otherwise heed when receiving unsolicited messages or emails.
This method is not entirely new but highlights an evolving threat landscape where collaboration platforms such as Microsoft Teams become vectors for initial access. The group has been linked to the deployment of a previously undocumented custom malware suite, which researchers have named SNOW.
The SNOW Malware Suite
SNOW appears to be a modular malware framework designed to provide persistent access and data exfiltration capabilities. Once installed on a compromised host, the malware can perform various functions such as keylogging, credential theft, and lateral movement within the network.
Security analysts have noted that SNOW is specifically configured to evade detection by common endpoint protection tools. Its modular design allows operators to adjust its payloads based on the target environment, increasing the difficulty of remediation.
Implications for Enterprise Security
The emergence of UNC6692 underscores the growing sophistication of threat actors who abuse legitimate business tools. Microsoft Teams, widely adopted for remote and hybrid work, presents a new attack surface that organizations are only beginning to secure.
Enterprises are advised to enforce strict verification procedures for IT support contacts and to educate employees about the risks of accepting unsolicited chat invitations. Security teams should also monitor for unusual Microsoft Teams login activity and unexpected external or internal chat requests.
The use of platforms like Teams for impersonation is a shift from traditional phishing campaigns that relied on email. Attackers are increasingly turning to real-time communication channels where social cues are harder to verify quickly.
Response and Mitigation
Researchers have not yet attributed UNC6692 to a specific nation-state or criminal group. The campaign appears to be targeting multiple sectors, though full details of victims remain undisclosed.
Microsoft has not publicly commented on the specific technical vectors exploited by this group. However, the company frequently updates its security guidance for Teams administrators, including recommendations to limit external chat requests and enforce multi-factor authentication.
Organizations should also review their conditional access policies and ensure that only verified domains can initiate internal communication. Disabling inbound Teams messages from external sources unless explicitly approved is one practical step to reduce exposure to this type of attack.
Further analysis of the SNOW malware is ongoing, with researchers expecting to release more detailed indicators of compromise in the coming weeks. Security vendors are updating detection signatures to identify the malware and its associated infrastructure.
In the current threat environment, any unsolicited communication, even from a seeming internal source, should be treated with caution. The UNC6692 campaign serves as a reminder that trust must be verified, not assumed, in digital workplace interactions.
Source: Delimiter
