UNC6692 Abuses Microsoft Teams to Deliver SNOW Malware via IT Help Desk Vishing

Threat actor UNC6692 is running an active campaign exploiting Microsoft Teams as a vishing channel, impersonating IT help desk personnel to deliver SNOW malware to enterprise targets. The campaign demonstrates that as organisations harden email defences, adversaries adapt to trusted collaboration platforms that security tooling frequently under-monitors.

What Happened

UNC6692 contacts targets via Microsoft Teams using accounts crafted to impersonate internal IT support staff. The attacker initiates a Teams call or chat session, claims there is an urgent security issue with the target’s account or device, and guides the victim through steps that result in SNOW malware being installed on the endpoint.

SNOW is a malware family that provides persistent remote access to the compromised host. The social engineering lure exploits the authority and urgency that IT help desk interactions carry — a technique that is effective because recipients are conditioned to follow IT instructions without extensive scrutiny. UNC6692 has been observed using external Teams accounts — sourced from outside the target tenant — that pass visual inspection as internal contacts.

Microsoft Teams external access is enabled by default in most tenants, allowing any Teams user from any organisation to initiate contact with your employees.

Why It Matters

The vast majority of organisations monitor email for social engineering but have minimal controls or detection telemetry on Teams external communications. The attack surface mirrors the 2024 evolution of Scattered Spider and Black Basta campaigns that used Teams and phone vishing interchangeably — but SNOW as the payload indicates a distinct threat actor with different post-compromise objectives.

IT help desk impersonation is particularly effective because the interaction pattern — urgent problem, please follow these steps, click this link — is identical to legitimate support workflows. Victims have no reliable signal that the interaction is malicious until after the payload executes.

Technical Detail

Recommended Actions

• Restrict Teams external access — in the Microsoft Teams Admin Centre, configure external access to allow only specific trusted domains rather than all external users; block external users from initiating contact with internal users if the business case does not require it.
• Enable Teams communication compliance policies — log and alert on external users initiating high-frequency contact with multiple internal accounts.
• Brief staff on IT support verification workflows — establish that legitimate IT support will never initiate unsolicited Teams calls requesting remote access or software installation; provide a verified callback number to confirm identity independently.
• Ingest Teams audit logs into your SIEM — alert on external users initiating calls or sharing files with internal accounts, particularly where the external account name resembles internal IT staff.
• Deploy application allow-listing or signed binary enforcement — SNOW malware delivery requires user-executed binaries; signed binary enforcement limits the malware’s ability to establish persistence.
• Hunt for SNOW malware indicators — obtain current IOCs from your threat intelligence feed and search endpoint telemetry for SNOW-associated process names, file paths, and network connections.

Broader Context

This campaign is part of a broader shift in initial access tradecraft: as email gateways mature, adversaries pivot to collaboration platforms where detection tooling is less mature and user trust is higher. Organisations should treat Microsoft Teams external access policies as an equivalent attack surface to email — with equivalent monitoring, filtering controls, and user awareness training.