Microsoft Teams Helpdesk Scam Deploys SNOW Malware: What IT Leaders Must Know Now

Photo by Markus Winkler on Unsplash

Key Takeaways

• A newly tracked threat group, UNC6692, is impersonating IT helpdesk staff on Microsoft Teams to deliver a three-part custom malware suite called SNOW — no software vulnerability required.
• The attack begins with email bombing to stress the target, then a fake Teams support message leads victims to download malware from a threat actor-controlled Amazon S3 bucket.
• 77% of UNC6692 incidents between March 1 and April 1, 2026 targeted senior-level employees — a sharp jump from 59% in the prior two months, making executive protection critical.
• Google Mandiant and Microsoft have both issued urgent warnings; defenders have only minutes to respond once a user is deceived into approving remote access.

What Happened

In late December 2025, Google's Mandiant threat intelligence team identified a new threat actor — designated UNC6692 — deploying a sophisticated, three-component malware suite called SNOW against enterprise targets. The attack requires no software vulnerability whatsoever. Instead, it relies entirely on social engineering and the implicit trust employees place in internal IT support channels.

The attack chain is disturbingly straightforward. First, the target receives a flood of spam email — a technique known as "email bombing" — designed to overwhelm and frustrate the victim. Almost immediately afterward, a Microsoft Teams message arrives from an account posing as an IT helpdesk agent, offering to resolve the spam problem. The victim clicks a link provided by the fake support agent, which downloads an AutoHotkey dropper (a small script-based program designed to silently install other software) from a threat actor-controlled Amazon S3 bucket.

That dropper installs SnowBelt — a malicious browser extension disguised as "MS Heartbeat" or "System Heartbeat" — which runs silently inside a hidden, headless (non-visible) Edge browser instance. From there, UNC6692 deploys SnowGlaze, a Python-based WebSocket tunneler that routes command-and-control traffic through Heroku subdomains, and SnowBasin, a local HTTP backdoor listening on port 8000 that provides full remote control over the compromised machine. The final stage includes Pass-the-Hash lateral movement (a technique for moving through a network using stolen credential hashes without ever needing the plaintext password), capture of the Active Directory database using FTK Imager, and data exfiltration via LimeWire upload — representing complete domain compromise at scale.

Photo by KOBU Agency on Unsplash

Why It Matters for Your Organization's Security

If the SNOW malware campaign sounds alarming, it should — but understanding exactly why it marks a step change in attacker sophistication will help your team prioritize the right defenses. The core danger is that this attack weaponizes trust rather than technology, and most conventional security stacks are not built to stop it.

Traditional security tools detect malicious software, suspicious executables, and known exploit signatures. UNC6692's playbook sidesteps all of that. According to Google Mandiant researchers (April 25, 2026), UNC6692 achieves deep network compromise "without exploiting a single software vulnerability," relying entirely on social engineering, legitimate cloud infrastructure abuse, and modular custom tooling to evade detection. CSO Online analysts noted in April 2026 that using trusted services like Amazon S3 for both payload delivery and data exfiltration allows attackers to "blend into normal cloud traffic and bypass traditional reputation-based network filters, making detection significantly harder."

This has serious implications for your data protection posture. When attackers route their activity through the same cloud infrastructure your organization trusts every day — AWS S3, Heroku — conventional network monitoring tools may never flag the traffic as suspicious. By the time SnowBasin is listening on port 8000 and issuing commands via cmd.exe or PowerShell, an attacker has effectively achieved the same level of access as a local system administrator, all while appearing as routine cloud traffic on your logs.

The targeting pattern makes this even more urgent. Mandiant's tracking data shows that 77% of observed UNC6692 incidents between March 1 and April 1, 2026 targeted senior-level employees — up sharply from 59% in the first two months of 2026. Attackers are deliberately going after the people most likely to hold elevated network privileges, access to sensitive financial data, and the authority to approve IT requests without detailed scrutiny.

On April 18, 2026, Microsoft's Security Blog issued a dedicated warning, noting that "recent intrusions used the same basic playbook: an unsolicited Teams contact, a fake support pretext, Quick Assist approval (Microsoft's built-in remote help tool), then hands-on-keyboard activity inside the environment within minutes." That phrase — "within minutes" — is the critical number for your incident response planning. The window between initial deception and deep network access is extremely narrow. Once Quick Assist is approved, the attacker has live access to the victim's machine before most security teams even receive an alert.

Sound cybersecurity best practices have always included verifying IT support requests through a second channel — a phone call, a ticket number, a known internal directory entry. But this campaign proves that under the pressure of an inbox flooded with hundreds of spam messages, even security-conscious employees can be manipulated into skipping that step. Security awareness training that specifically rehearses this exact scenario — email bombing followed by a Teams message from "IT support" — is no longer optional for any organization.

The end-stage consequences are severe: Pass-the-Hash lateral movement to domain controllers, FTK Imager capture of the Active Directory database file (which contains credential hashes for every account in your organization), and bulk exfiltration via LimeWire upload. This is a complete domain compromise — the kind of incident that typically costs organizations millions of dollars and months of recovery time, and that creates serious data protection liability depending on your industry's regulatory requirements.

The AI Angle

The SNOW campaign is a textbook case for why modern threat intelligence platforms have shifted toward AI-driven behavioral analysis rather than signature-based detection. Since UNC6692 uses no known malware signatures and hides its traffic inside legitimate cloud services, traditional antivirus offers minimal protection here.

AI-powered security platforms like Microsoft Sentinel and Darktrace are specifically designed to catch the behavioral anomalies this attack produces: a user suddenly approving a remote access session outside normal hours, a browser extension appearing inside a headless browser process, or unexpected outbound WebSocket connections to Heroku subdomains. These tools build a baseline of "normal" behavior for each user and device, then flag deviations in real time — giving security teams the speed they need to act within the narrow window Microsoft's Security Blog highlighted.

AI-assisted security awareness platforms that simulate Teams-based social engineering scenarios — not just email phishing — also directly target the human layer UNC6692 exploits. Layering AI-driven network monitoring with realistic, scenario-specific security awareness training creates overlapping defenses that are far more effective than any single control against a no-exploit, social-engineering-first attack group.

What Should You Do? 3 Action Steps

1. Restrict and Audit Microsoft Teams External Access Immediately

In your Microsoft Teams admin center, review and restrict which external domains can initiate chat contact with your employees. For most organizations, there is no legitimate business reason for unknown external accounts to pose as IT helpdesk. Disable unsolicited external contact for non-federated domains and require that all IT support interactions originate from verified, internal accounts tied to a logged support ticket. Audit your Teams chat logs now for any recent contact from external accounts claiming IT helpdesk identity — this is a direct early indicator of UNC6692-style reconnaissance. Documenting these restrictions as a formal policy also aligns with cybersecurity best practices and supports audit readiness.

2. Run Targeted Security Awareness Training on This Exact Attack Scenario

Generic phishing training is no longer sufficient against this class of threat. Schedule a focused security awareness session — ideally within the next two weeks — that walks all employees through the email bombing → Teams impersonation → Quick Assist approval attack chain step by step. Emphasize that legitimate IT staff will never initiate support contact via an unsolicited Teams message and will never request Quick Assist approval without a pre-existing, verified support ticket number. Pay particular attention to senior-level employees, who represented 77% of UNC6692 targets in March–April 2026. Consider running a simulated Teams-based social engineering exercise to measure real-world response rates before an actual attack tests your team under pressure.

3. Enforce Browser Extension Controls and Deploy Behavioral Monitoring

Since SnowBelt installs as a browser extension named "MS Heartbeat" or "System Heartbeat," configure your endpoint management platform (such as Microsoft Intune or a comparable MDM solution) to enforce an approved extension allowlist and automatically block any unlisted extension from installing. Simultaneously, deploy or audit your behavioral monitoring capabilities — AI-driven platforms like Microsoft Sentinel can detect headless Edge processes running in the background, unexpected activity on port 8000, and outbound WebSocket connections to Heroku subdomains that signal SnowGlaze and SnowBasin are active. For incident response readiness, ensure your security team has a documented playbook for Teams-based social engineering incidents, including immediate steps to revoke remote sessions, isolate affected endpoints, reset potentially compromised credentials, and preserve forensic evidence before remediation begins.

Frequently Asked Questions

How do I protect my organization from Microsoft Teams helpdesk impersonation attacks like SNOW malware?

Start by restricting external Teams access in your admin center so that unknown accounts cannot initiate unsolicited conversations with employees. Combine this with targeted security awareness training that specifically covers the email bombing followed by fake IT support outreach scenario. Deploy behavioral monitoring tools capable of detecting headless browser activity, unexpected local HTTP servers, and unusual outbound WebSocket connections. Enforce a browser extension allowlist to prevent malicious extensions like SnowBelt from installing. Finally, establish a verified IT support ticketing process — employees should always be able to confirm a support request through a second, trusted channel (such as a ticket number in your ITSM system) before approving any remote access session.

What makes the UNC6692 SNOW malware so difficult to detect with traditional antivirus software?

UNC6692 deliberately avoids dropping conventional malware executables that antivirus tools would recognize. Instead, it uses an AutoHotkey dropper, a disguised browser extension (SnowBelt), a Python WebSocket tunneler (SnowGlaze) routing traffic through legitimate Heroku subdomains, and a local HTTP backdoor (SnowBasin) on port 8000. All of these components blend into normal system and cloud traffic patterns. Traditional antivirus relies on known malware file signatures and executable-based detection — none of which apply here. AI-driven behavioral analysis platforms are significantly better suited to detect the anomalies these components produce, such as headless browser processes, unusual WebSocket destinations, and local HTTP servers appearing on non-standard ports outside normal software baselines.

Why are senior executives being targeted more often by social engineering attacks like Teams impersonation in 2026?

According to Mandiant's threat intelligence data, 77% of UNC6692 incidents between March 1 and April 1, 2026 targeted senior-level employees — up from 59% in the first two months of the year. Senior employees are high-value targets for several compounding reasons: they typically hold elevated network privileges, have access to sensitive financial and strategic data, and carry the authority to approve IT requests without detailed scrutiny. They are also frequently under time pressure, making them more susceptible to acting quickly when presented with an urgent-seeming support request during an email bombing event. Attackers deliberately time the Teams outreach to maximize this pressure-and-trust combination.

What should my incident response plan include to address Microsoft Teams-based social engineering attacks specifically?

Your incident response plan for Teams-based attacks should include: immediate revocation of any active Quick Assist or third-party remote access session upon first suspicion of compromise; network isolation of the affected endpoint to prevent lateral movement before Pass-the-Hash techniques can reach domain controllers; forensic preservation of browser extension directories, Teams chat logs, and network connection records before any remediation steps are taken; a full credential reset sweep — especially for accounts that authenticated from the affected device — given UNC6692's documented use of Pass-the-Hash movement toward domain controllers and FTK Imager capture of the Active Directory database; and a post-incident Active Directory audit for unauthorized changes or new privileged accounts. Ensure the plan is tested at least annually and includes specific indicators of compromise: port 8000 activity, headless Edge processes, and browser extensions named "MS Heartbeat" or "System Heartbeat."

How can small businesses with limited IT budgets improve data protection against advanced threat groups like UNC6692?

Small businesses can take several high-impact, low-cost steps to strengthen data protection against this attack class. First, configure Microsoft Teams to block unsolicited external contact — this is a free admin setting that eliminates the primary attack vector UNC6692 relies on. Second, run regular security awareness training using affordable platforms; even a 30-minute session specifically covering Teams impersonation scenarios measurably reduces risk. Third, enforce multi-factor authentication (MFA — requiring a second form of identity verification beyond a password) on all accounts, which significantly limits the damage from credential theft even if a Pass-the-Hash technique succeeds downstream. Finally, consider a managed detection and response (MDR) service, which delivers enterprise-grade threat intelligence and behavioral monitoring for a predictable monthly fee — typically far less expensive than recovering from a full domain compromise that includes Active Directory database exfiltration.

Disclaimer: This article is for informational purposes only and does not constitute professional security consulting advice. Always consult with a qualified cybersecurity professional for your specific needs.