UNC6692 Weaponizes Teams Helpdesk Impersonation to Drop SNOW Malware

A threat cluster tracked as UNC6692 is abusing Microsoft Teams as the initial access channel, posing as internal IT support staff to coax targets into executing a payload dubbed SNOW. The social-engineering flow leans on Teams’ default trust model: external tenants can reach internal users, and a message from what looks like a helpdesk account carries institutional credibility that a cold email does not.

Once the target engages, the operators walk them through actions that result in SNOW being planted on the endpoint, giving the attackers a foothold on the host and, by extension, into the identity plane the user is signed into. The technique echoes prior campaigns from groups like Storm-1811 and Black Basta affiliates, where Teams impersonation replaced phishing email as the delivery surface.

The control gap is structural. Teams external communication is permissive by default, there is no native brand-verification layer for helpdesk accounts, and endpoint telemetry rarely flags a user running commands their own IT told them to run. Hardening requires tightening external federation, enforcing verified-sender or attribute-based trust on internal support channels, and treating Teams-initiated remote guidance sessions with the same scrutiny as unsolicited email attachments.