Back to Intelligence

UNC6692 Microsoft Teams Phishing: Detecting SNOW Malware and IT Helpdesk Impersonation

SA
Security Arsenal Team
April 23, 2026
5 min read

Introduction

A new threat cluster, tracked as UNC6692, has operationalized a social engineering vector that bypasses traditional email security gateways: Microsoft Teams. By impersonating IT helpdesk personnel, attackers are convincing victims to accept external chat invitations. Once trust is established, they facilitate the deployment of a custom malicious software suite known as SNOW.

This attack vector is particularly dangerous because it exploits the inherent trust users place in internal collaboration tools. Unlike suspicious emails, a Teams chat request from "IT Support" often bypasses the skepticism of end-users. Defenders must act immediately to audit external access policies and detect the initial indicators of compromise associated with this campaign.

Technical Analysis

Affected Products & Platforms:

  • Platform: Microsoft 365 (M365) tenants.
  • Vector: Microsoft Teams (External Access / Federated Chat).
  • Target Endpoint: Windows hosts receiving the payload.

Attack Chain Breakdown:

  1. Initial Access: The attacker utilizes an external M365 account to send a Teams chat invitation to a target user.
  2. Social Engineering: The attacker spoofs an identity, typically appearing as "IT Helpdesk" or "Support," to convince the user to accept the chat request.
  3. Payload Delivery: Upon acceptance, the attacker engages the victim, likely using a pretext (e.g., "We need to verify your login"), and delivers a malicious link or attachment.
  4. Execution: The user interacts with the payload, leading to the deployment of SNOW, a custom malware suite designed for data theft or establishing a C2 beacon.

Exploitation Status:

  • Status: Confirmed active exploitation (In-the-wild).
  • Threat Actor: UNC6692 (Previously undocumented cluster).

Detection & Response

Defenders must hunt for two distinct behaviors: the acceptance of external Teams invites and the execution of the SNOW payload. While specific IOC hashes for SNOW are evolving, the delivery mechanism via Teams invites is a high-fidelity signal for this campaign.

Sigma Rules

YAML
---
title: UNC6692 - External Teams Invite Acceptance
id: 8a2b1c4d-9e3f-4a5b-6c7d-8e9f0a1b2c3d
status: experimental
description: Detects the acceptance of a Microsoft Teams invitation from an external domain, a key TTP of UNC6692 social engineering.
references:
  - https://thehackernews.com/2026/04/unc6692-impersonates-it-helpdesk-via.html
author: Security Arsenal
date: 2026/04/07
tags:
  - attack.initial_access
  - attack.social_engineering
  - attack.t1566.002
logsource:
  product: o365
  service: teams
detection:
  selection:
    Operation|contains: 'AcceptTeamsInvite'
  filter legitimate_domains:
    # Filter internal traffic if your tenant uses multiple verified domains
    InitiatingUserDomain|endswith: '@yourdomain.com'
  condition: selection and not filter legitimate_domains
falsepositives:
  - Legitimate business collaboration with external partners
level: medium
---
title: Potential SNOW Malware Execution
id: b3c2d1e0-4f5a-6b7c-8d9e-0f1a2b3c4d5e
status: experimental
description: Detects execution of processes named 'snow' or originating from Teams download directories, indicative of UNC6692 payload delivery.
references:
  - https://thehackernews.com/2026/04/unc6692-impersonates-it-helpdesk-via.html
author: Security Arsenal
date: 2026/04/07
tags:
  - attack.execution
  - attack.t1204
logsource:
  category: process_creation
  product: windows
detection:
  selection_img:
    Image|contains:
      - '\snow.exe'
      - '\snowflake.exe'
  selection_path:
    CurrentDirectory|contains:
      - '\AppData\Local\Microsoft\TeamsMeeting-Addin'
      - '\Downloads\'
    CommandLine|contains: 'snow'
  condition: 1 of selection_*
falsepositives:
  - Legitimate software named 'snow' (rare in corporate envs)
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for UNC6692 Teams Invite Acceptance
OfficeActivity
| where Operation == "AcceptTeamsInvite"
| where isnotempty(InitiatingUserDomain)
| where InitiatingUserDomain !endswith "@yourdomain.com" // Replace with your internal domain
| extend TimeGenerated, UserId, ClientIP, InitiatingUserDomain
| project TimeGenerated, UserId, ClientIP, InitiatingUserDomain, Operation, Parameters
| order by TimeGenerated desc

// Hunt for potential SNOW malware process execution
DeviceProcessEvents  
| where Timestamp > ago(7d)
| where FileName has "snow" or ProcessCommandLine has "snow"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessFileName
| order by Timestamp desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for SNOW malware artifacts and Teams download activity
SELECT Pid, Name, CommandLine, Exe, Username, CreateTime
FROM pslist()
WHERE Name =~ "snow"
   OR CommandLine =~ "snow"

-- Scan common download directories for suspicious binaries
SELECT FullPath, Size, Mtime, Mode
FROM glob(globs="/*/*/Downloads/*snow*", root="/")
WHERE Mtime > now() - 7d

Remediation Script (PowerShell)

PowerShell
# Audit and Report Microsoft Teams External Access Settings
# Requires MicrosoftTeams PowerShell Module: Install-Module -Name MicrosoftTeams

Write-Host "[+] Connecting to Microsoft Teams..." -ForegroundColor Cyan
Connect-MicrosoftTeams

Write-Host "[+] Auditing External Access Policies..." -ForegroundColor Cyan

# Get the Global Federation Configuration
$federationConfig = Get-CsTenantFederationConfiguration

Write-Host "- AllowFederatedUsers (Can communicate with external Teams users): " -NoNewline
Write-Host $federationConfig.AllowFederatedUsers -ForegroundColor $(if($federationConfig.AllowFederatedUsers){"Red"}else{"Green"})

# Get Guest Access Settings
$guestConfig = Get-CsTeamsGuestAccessConfiguration

Write-Host "- AllowGuestUser (Can add guest users): " -NoNewline
Write-Host $guestConfig.AllowGuestUser -ForegroundColor $(if($guestConfig.AllowGuestUser){"Red"}else{"Green"})

Write-Host "[+] Recommendation: If 'AllowFederatedUsers' is True, consider restricting external communication to trusted domains only via CsTenantFederationConfiguration." -ForegroundColor Yellow

Disconnect-MicrosoftTeams
Write-Host "[+] Audit Complete." -ForegroundColor Green

Remediation

To mitigate the risk of UNC6692 and similar social engineering campaigns, enforce the following defensive measures:

  1. Restrict External Teams Access:

    • By default, many tenants allow open federation. Configure External Access policies in the Microsoft Teams Admin Center to only allow communications with specific trusted domains. Alternatively, disable external access entirely if not business-critical.
    • Navigate to Users > External access in the Teams Admin Center to modify these settings.

  2. Block Anonymous Join:

    • Ensure that anonymous users (users not logged in to M365) cannot join meetings. This can be found under Meetings > Meeting settings in the Teams Admin Center.

  3. User Awareness Campaigning:

    • Immediately notify employees that IT support will never initiate unsolicited chat requests via Teams asking for credentials or requesting to install software without a prior ticket number.

  4. Conditional Access:

    • Implement Conditional Access policies that require device compliance or multi-factor authentication (MFA) specifically for access to Microsoft Teams from unfamiliar locations or devices.

Category

soc-mdr

Related Resources

Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub

sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectionunc6692microsoft-teamssnow-malware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action