UNC6692 Impersonates IT Helpdesk via Microsoft Teams with SNOW Malware

/MEDIUM
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW threat-intelvulnerabilitymalwaremicrosoftphishing
UNC6692 Impersonates IT Helpdesk via Microsoft Teams with SNOW Malware

SCW notes a new threat cluster, UNC6692, is actively deploying custom malware named SNOW. The Hacker News reports that UNC6692 employs social engineering via Microsoft Teams, impersonating IT helpdesk personnel. This tactic convinces victims to accept chat invitations and subsequently deploy the malware.

The attack vector is straightforward: an attacker, posing as internal IT, initiates a Teams chat. Once the victim accepts, the social engineering begins, leading to the deployment of the SNOW malware. This highlights a persistent vulnerability in enterprise communication platforms where trust in internal identities is often exploited.

For defenders, this underscores the critical need for enhanced scrutiny of internal communications, even from seemingly legitimate sources. The attacker’s calculus is clear: leverage inherent trust in IT to bypass technical controls. This isn’t a complex zero-day; it’s a social attack that exploits human factors, making it highly effective.

What This Means For You

  • If your organization uses Microsoft Teams, immediately reinforce user training on social engineering tactics, especially those impersonating IT helpdesk. Implement strict policies for verifying identity before accepting any unsolicited requests or downloads, even from internal accounts. Audit your Teams environment for suspicious chat invitations and unexpected file transfers.
πŸ›‘οΈ Am I exposed to this? Check if Microsoft impacts your environment β€” get SIEM detection rules instantly β†’

Related ATT&CK Techniques

T1598 Phishing for Information Reconnaissance T1598.003 Spearphishing for Information Reconnaissance T1566 Phishing Initial Access

Indicators of Compromise

IDTypeIndicator
UNC6692-SNOW-Malware Impersonation of IT helpdesk employees via Microsoft Teams
UNC6692-SNOW-Malware Malware Deployment Custom malware suite named 'SNOW'
UNC6692-SNOW-Malware Initial Access Microsoft Teams chat invitation from a malicious account

Written by SCW Vulnerability Desk

Take action on this incident
πŸ“‘ Monitor microsoft.com Free Β· 1 watchlist slot Β· instant alerts on new breaches πŸ” Threat intel on Microsoft All breaches, IOCs & vendor exposure

Related Posts

Frontier AI: CISO Questions and Defensive Realities

Palo Alto Unit 42 has published insights addressing the top questions security leaders are asking about frontier AI and its implications for defense. The report...

threat-intelAPTmalwareresearch
/SCW Research /MEDIUM

US Sanctions Cambodian Senator for Massive Scam Compound Operations

The U.S. Treasury Department has sanctioned Cambodian Senator Kok An and 28 associates for their alleged involvement in operating fraudulent 'scam compounds.' These operations reportedly...

threat-inteldata-breachgovernment
/SCW Research /MEDIUM

CISA Breach: Cisco Vulnerability Led to Persistent Backdoor

A U.S. government agency, unnamed but confirmed by CISA, was compromised via a Cisco vulnerability, according to The Record by Recorded Future. The attack deployed...

threat-inteldata-breachgovernmentmalwarevulnerability
/SCW Vulnerability Desk /HIGH /⚑ 2 IOCs /⚙ 3 Sigma