Back to Intelligence

UNC6692 'Snow' Malware via Microsoft Teams: Detection and Hardening Guide

SA
Security Arsenal Team
April 25, 2026
7 min read

A threat group tracked as UNC6692 is actively abusing Microsoft Teams as an initial access vector to deliver a custom malware suite dubbed 'Snow'. Unlike traditional phishing campaigns that rely on email, this operation leverages external Teams messages to bypass standard Secure Email Gateways (SEGs) and deliver a payload consisting of a browser extension, a network tunneler, and an unauthorized access mechanism.

For defenders, this represents a critical shift in the social engineering landscape. The presence of a trusted platform like Teams lowers user suspicion, significantly increasing the success rate of malicious attachment delivery. If 'Snow' successfully establishes its browser extension or tunneler, attackers gain persistent access to user sessions and internal network resources, effectively bypassing perimeter defenses.

Technical Analysis

Affected Products & Platforms

  • Platform: Microsoft Teams (Windows, macOS, Web)
  • Environment: Microsoft 365 tenants with external access/federation enabled.
  • Malware Components:
    • Browser Extension: Injects into browsers (Chrome/Edge) to facilitate session hijacking or credential theft.
    • Tunneler: Establishes C2 communication and lateral movement capabilities.
    • Access Tool: Likely a mechanism for maintaining unauthorized access (e.g., token manipulation).

Attack Chain

  1. Initial Access: UNC6692 sends external Microsoft Teams messages to target organizations using valid tenant accounts (often compromised).
  2. Social Engineering: The messages masquerade as legitimate business communications (e.g., "HR Document Update" or "Invoice Attached"), urging the user to open a file.
  3. Execution: The user clicks a malicious link or attachment hosted within the Teams context. This triggers the download and execution of the 'Snow' malware suite.
  4. Persistence: The 'Snow' browser extension is installed, and the tunneler establishes a connection to actor-controlled infrastructure.

Exploitation Status

  • Status: Confirmed active exploitation (in-the-wild).
  • Vector: Abuse of legitimate features (External Access) rather than a software vulnerability (CVE). No specific CVE applies to the delivery mechanism itself, but it exploits the trust model of collaboration tools.

Detection & Response

The following detection rules focus on the anomalous behavior of Microsoft Teams delivering executable payloads or spawning child processes, as well as the persistence mechanisms of the 'Snow' browser extension.

Sigma Rules

YAML
---
title: Microsoft Teams Spawning Suspicious Child Processes
id: 8a2c1d4e-5f6a-4b3c-9d8e-1f2a3b4c5d6e
status: experimental
description: Detects Microsoft Teams spawning suspicious child processes such as PowerShell, CMD, or script interpreters, which is unusual behavior and indicative of potential exploitation or malware delivery.
references:
 - https://www.bleepingcomputer.com/news/security/threat-actor-uses-microsoft-teams-to-deploy-new-snow-malware/
author: Security Arsenal
date: 2025/04/10
tags:
 - attack.initial_access
 - attack.t1566.002
 - attack.execution
 - attack.t1204
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   ParentImage|endswith: '\ms-teams.exe'
   Image|endswith:
     - '\powershell.exe'
     - '\cmd.exe'
     - '\wscript.exe'
     - '\cscript.exe'
     - '\mshta.exe'
     - '\regsvr32.exe'
 condition: selection
falsepositives:
 - Limited; Teams does not typically spawn these processes for standard user operations.
level: high
---
title: Execution from Teams Downloads Directory
title: Executable Execution from Teams Downloads Folder
id: 9b3d2e5f-6a7b-4c5d-9e0f-2a3b4c5d6e7f
status: experimental
description: Detects execution of executables or scripts directly from the Microsoft Teams downloads directory. This is a common location for payloads delivered via phishing links.
references:
 - https://www.bleepingcomputer.com/news/security/threat-actor-uses-microsoft-teams-to-deploy-new-snow-malware/
author: Security Arsenal
date: 2025/04/10
tags:
 - attack.initial_access
 - attack.t1566.002
 - attack.execution
 - attack.t1204.002
logsource:
 category: process_creation
 product: windows
detection:
 selection:
   Image|contains: '\Microsoft\Teams\Downloads\'
 condition: selection
falsepositives:
 - Rare; users rarely execute binaries directly from this folder unless tricked.
level: high
---
title: Suspicious Browser Extension Installation via Registry
id: 1c4e3f6a-7b8d-4e9f-0a1b-3c4d5e6f7a8b
status: experimental
description: Detects the creation of registry keys associated with browser extensions (Chrome/Edge) which may indicate the installation of the 'Snow' browser extension component. Focuses on non-standard paths or unusual installation timings.
references:
 - https://www.bleepingcomputer.com/news/security/threat-actor-uses-microsoft-teams-to-deploy-new-snow-malware/
author: Security Arsenal
date: 2025/04/10
tags:
 - attack.persistence
 - attack.t1176
logsource:
 category: registry_add
 product: windows
detection:
 selection:
   TargetObject|contains:
     - '\Software\Google\Chrome\Extensions\'
     - '\Software\Microsoft\Edge\Extensions\'
 condition: selection
falsepositives:
 - Legitimate software installing browser extensions.
level: medium

KQL (Microsoft Sentinel / Defender)

KQL — Microsoft Sentinel / Defender
// Hunt for Microsoft Teams spawning suspicious child processes
DeviceProcessEvents
| where InitiatingProcessFileName == "ms-teams.exe"
| where ProcessFileName in ("powershell.exe", "cmd.exe", "wscript.exe", "cscript.exe", "mshta.exe", "regsvr32.exe", "powershell_ise.exe")
| project Timestamp, DeviceName, AccountName, InitiatingProcessCommandLine, ProcessCommandLine, FileName, FolderPath
| order by Timestamp desc

// Hunt for executables running from the Teams Downloads folder
DeviceProcessEvents
| where FolderPath contains @"\Microsoft\Teams\Downloads\"
| where ProcessVersionInfoFileType in @"Application" or ProcessVersionInfoOriginalFileName in @".exe"
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, SHA256
| order by Timestamp desc

// Correlate Teams network activity with unknown endpoints
DeviceNetworkEvents
| where InitiatingProcessFileName == "ms-teams.exe"
| where RemoteUrl !contains "microsoft.com" and RemoteUrl !contains "office.com" and RemoteUrl !contains "skype.com" and RemoteUrl !contains "lync.com"
| project Timestamp, DeviceName, AccountName, RemoteUrl, RemoteIP, RemotePort, InitiatingProcessCommandLine
| summarize count() by RemoteUrl, DeviceName
| order by count_ desc

Velociraptor VQL

VQL — Velociraptor
-- Hunt for suspicious executables in Microsoft Teams Downloads directory
SELECT FullPath, Size, Mtime, Atime
FROM glob(globs='*/Microsoft/Teams/Downloads/*.exe')
WHERE Mtime < now() - 24h -- Look for files created in the last 24 hours relative to hunt time, or adjust as needed

-- Hunt for recently modified Chrome/Edge Extension directories (Snow persistence)
SELECT FullPath, Size, Mtime
FROM glob(globs='*/Google/Chrome/User Data/Default/Extensions/*')
WHERE Mtime < now() - 7*60*60 -- Modified in last 7 days

SELECT FullPath, Size, Mtime
FROM glob(globs='*/Microsoft/Edge/User Data/Default/Extensions/*')
WHERE Mtime < now() - 7*60*60 -- Modified in last 7 days

Remediation Script (PowerShell)

This script audits the Microsoft 365 Teams external access settings. Note: Changing these requires the Microsoft Teams PowerShell Module and Global Admin credentials.

PowerShell
# Requires MicrosoftTeams PowerShell Module
# Install-Module -Name MicrosoftTeams

# Check current Federation Configuration
function Get-TeamsFederationStatus {
    Write-Host "Checking Microsoft Teams External Access Policies..." -ForegroundColor Cyan
    
    try {
        Connect-MicrosoftTeams -ErrorAction Stop
        
        # Get the Global Federation Configuration
        $config = Get-CsTenantFederationConfiguration
        
        Write-Host "Current AllowFederatedUsers Setting: $($config.AllowFederatedUsers)" -ForegroundColor Yellow
        Write-Host "Current Blocked Domains List Count: $($config.BlockedDomains.Count)" -ForegroundColor Yellow
        
        if ($config.AllowFederatedUsers -eq $true) {
            Write-Host "[WARNING] Teams is configured to allow external users. Consider restricting to allow-listed domains only." -ForegroundColor Red
        } else {
            Write-Host "[INFO] Teams external access is currently disabled." -ForegroundColor Green
        }
    }
    catch {
        Write-Host "[ERROR] Failed to retrieve configuration. Ensure you are connected to Teams PowerShell." -ForegroundColor Red
        Write-Host $_.Exception.Message
    }
}

# Harden: Disable all external communication (Use with caution, impacts business operations)
function Disable-TeamsExternalAccess {
    Write-Host "Disabling Teams External Access..." -ForegroundColor Cyan
    try {
        Set-CsTenantFederationConfiguration -AllowFederatedUsers $false
        Write-Host "[SUCCESS] External access has been disabled." -ForegroundColor Green
    }
    catch {
        Write-Host "[ERROR] Failed to update configuration." -ForegroundColor Red
        Write-Host $_.Exception.Message
    }
}

# Execute Audit
Get-TeamsFederationStatus

# To actually disable, uncomment the line below:
# Disable-TeamsExternalAccess

Remediation

Immediate Actions

  1. Tenant Hardening: Review and restrict Microsoft Teams external access policies. Move from "Allow any external domain" to an "Allow list" model where only known partners can interact with your users via Teams.
  2. User Awareness: Immediately notify security teams and users about this campaign. Instruct users to treat Teams messages from external (unfamiliar) senders with the same scrutiny applied to external emails.
  3. Isolation: If a device is suspected of infection, isolate it from the network immediately. The 'Snow' tunneler provides remote access, so network containment is critical.

Long-term Protections

  1. Microsoft 365 Defender: Ensure Safe Links and Safe Attachments policies are applied to Microsoft Teams, not just Outlook.
    • Config: Security & Compliance Center -> Threat Management -> Policy -> ATP Safe Links -> Settings for "Safe Links for Office 365 apps".
  2. Conditional Access: Implement Conditional Access policies that limit access to Teams from unmanaged devices or unknown locations.
  3. Browser Extension Governance: Implement Group Policy or MDM controls to prevent users from installing unauthorized browser extensions.

Related Resources

Security Arsenal Managed SOC Services AlertMonitor Platform Book a SOC Assessment soc-mdr Intel Hub

managed-socmdrsecurity-monitoringthreat-detectionsiemunc6692microsoft-teamsmalware

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action