Snow Malware Turns Microsoft Teams Into An Intrusion Platform

Cybercriminals keep showing that the easiest way into an enterprise is often through trust, not software vulnerabilities. Google's Mandiant Team discovered a new threat actor, UNC6692, that proves this point. This group weaponizes Microsoft Teams, abuses helpdesk impersonation, and deploys a custom malware ecosystem known as 'Snow.' The group does not rely on exploits.

Instead, they use human manipulation, cross-tenant trust abuse, and carefully staged persistence mechanisms to compromise networks and steal data. Researchers from Google Threat Intelligence Group and Microsoft both highlight this shift. Collaboration platforms are now primary attack surfaces, not just secondary communication channels.

The Snow malware campaign starts with pressure, not malware. UNC6692 opens with what researchers call 'email bombing.' They flood targets with many unwanted messages, creating confusion and urgency. When the victim becomes overwhelmed, the attackers contact them via Microsoft Teams, pretending to be internal IT helpdesk staff. Teams often allows external communication, and users are accustomed to using it to support interactions on the platform.

As a result, the message seems legitimate and reduces suspicion. This social engineering layer is key to the operation. It is more effective than traditional phishing because it feels like a trusted internal interaction rather than an obvious external attack. Microsoft defines this attack as Cross-tenant help-desk impersonation.

The attackers then offer what appears to be a solution for the spam problem: a "patch" or "Mailbox Repair Utility" designed to fix the user's mailbox issues. Victims are directed to a spoofed landing page featuring a "Health Check" button. Clicking it prompts the user to authenticate with their email address and password. The site uses a deliberate double-entry trick by rejecting the first and second password attempts as incorrect.

This tactic serves two purposes. First, it increases the victim's trust by making the process feel legitimate. Second, it ensures attackers capture the password twice, reducing the chance of mistyped credentials. By the time the victim sees a fake "Configuration completed successfully" message, the attacker has already harvested credentials and staged the next phase of compromise.

The next phase brings in the Snow malware suite. It is a modular framework built for persistence, covert communications, and complete endpoint control. The framework has three main components: SnowBelt, SnowGlaze, and SnowBasin. Each has a distinct purpose. Together, they create an effective intrusion chain that moves from initial compromise to deep enterprise access.

Snow Malware Components

SnowBelt is the first foothold. It is a malicious Chromium browser extension, delivered via AutoHotKey scripts after the fake patch is installed. Unlike conventional malware, SnowBelt hides in the browser ecosystem and often poses as 'MS Heartbeat' or 'System Heartbeat.' It is not available in the Chrome Web Store, so victims can only get it through social engineering.

Its persistence comes from browser extension registration, making removal harder. This helps attackers survive reboots and normal endpoint hygiene checks. SnowBelt also acts as the command relay between the attacker and the victim's machine.

SnowGlaze is the tunneler. It is built in Python and runs on both Windows and Linux. It establishes an authenticated WebSocket tunnel between the compromised internal network and attacker-controlled command-and-control servers, which are often hosted on platforms such as Heroku.

The malware wraps communications in JSON objects and Base64 encodes them. This makes traffic look like legitimate encrypted web sessions. Because of this, detection is harder for security teams using traditional network inspection. SnowGlaze turns the victim environment into a covert communication channel, bypassing normal security expectations.

SnowBasin is the last component and the most dangerous. It acts as a persistent backdoor and local HTTP server, usually listening on port 8000. This is where the actual mission happens. Attackers can issue commands such as account discovery, privilege checks, screenshot capture, and staged data exfiltration.

SnowBasin gives attackers interactive control of the infected system. This allows them to move from access to active compromise. Commands sent through SnowGlaze are routed through SnowBelt and executed by SnowBasin. This creates a workflow that keeps the attack stealthy while allowing full remote control.

A main reason for this campaign's success is cross-tenant helpdesk impersonation. Microsoft recently warned about attacks where intruders impersonate real support staff from outside the organization. Microsoft Teams is built for external collaboration. As a result, attackers can message employees from outside sources and appear to be part of normal support. Many organizations have not restricted Teams settings or trained employees to check the helpdesk identities.

The impersonation works especially well on executives and senior employees. They are frequent targets because they have privileged access and are less patient with disruptions. Reports show that from March 1 to April 1, 2026, 77% of UNC6692's observed incidents targeted senior employees, a big increase from earlier in the year.

This cross-tenant helpdesk method removes the need to develop exploits. Attackers do not need zero-days when users give up credentials and install access tools themselves. Microsoft also notes that many similar attacks use remote access utilities like Quick Assist, allowing attackers to deepen their control after establishing trust. UNC6692 follows the same process: create urgency, pretend to offer support, earn trust, then move to domain compromise and data theft.

After the compromise, data theft is clearly the main goal. UNC6692 does internal reconnaissance, targets Active Directory, and aims to take over the domain. Researchers observed credential theft, LSASS memory dumping, pass-the-hash, and the collection of the Active Directory database and sensitive registry hives. This is not smash-and-grab malware. It is a deliberate intrusion system for long-term access and careful exfiltration. The Snow ecosystem helps with persistence, stealth, and lateral movement without using noisy ransomware.

The main lesson is clear: organizations must stop seeing collaboration tools as always safe. Microsoft Teams is now part of the attack surface. External chat requests must be treated with as much skepticism as suspicious emails. Security steps should include restricted federation policies, stronger verification for helpdesk messages, monitoring for unauthorized browser extensions, and behavioral checks for WebSocket tunneling or unusual Python use.

UNC6692's Snow malware campaign shows that advanced attacks can start simply—with a helpful message from 'IT support.' The malware is technically advanced, but its real danger is in social engineering and cross-tenant impersonation. This combination makes Snow more than just another malware family. It is a model for how enterprise intrusions are changing.