UNC6692 Uses Microsoft Teams IT Helpdesk Impersonation to Deploy SNOW Malware

What happened

In a newly uncovered cyber espionage campaign, the threat actor cluster UNC6692 has been observed impersonating IT helpdesk personnel within Microsoft Teams to deliver a custom malware suite known as SNOW. This tactic leverages social engineering to convince targets to accept chat invitations from fraudulent accounts posing as trusted internal support staff. Once engaged, victims are tricked into executing malware payloads that establish persistence and enable further network compromise.

This attack vector is notable because it exploits the growing reliance on Microsoft Teams for internal communication, bypassing traditional email-based phishing defenses. By masquerading as IT helpdesk agents, UNC6692 capitalizes on users’ natural trust in helpdesk personnel to lower their guard.

Confirmed facts

• UNC6692 is a previously undocumented threat cluster identified in early 2026.
• The group uses Microsoft Teams chat invitations to initiate contact with targets.
• Attackers create accounts that impersonate IT helpdesk employees, often mimicking naming conventions and profile details.
• Victims are persuaded to download and run the SNOW malware, a custom-developed malware suite designed for stealth and persistence.
• SNOW malware facilitates credential theft, lateral movement, and data exfiltration.
• The campaign targets enterprise environments with a focus on organizations heavily reliant on Microsoft 365 collaboration tools.
• Detection is complicated by the use of legitimate Microsoft Teams infrastructure and social engineering tactics.

Who is affected

Organizations using Microsoft Teams as a primary collaboration platform, particularly those with large IT helpdesk operations, are at elevated risk. The campaign primarily targets mid-to-large enterprises across sectors such as finance, healthcare, and technology. Individual users within these organizations who have access to sensitive systems and data are the primary victims.

Because the attack relies on impersonation and social engineering rather than widespread malware distribution, the impact is highly targeted but severe, often leading to prolonged network infiltration and data breaches.

What to do now

1. Verify all Microsoft Teams chat invitations: Train employees to confirm the identity of IT helpdesk contacts through secondary channels before accepting chat requests or downloading files.
2. Implement multi-factor authentication (MFA): Enforce MFA on all Microsoft 365 accounts to reduce the risk of account compromise.
3. Deploy endpoint detection and response (EDR) solutions: Monitor for unusual process executions and network connections indicative of SNOW malware activity.
4. Conduct phishing simulation and awareness training: Regularly test and educate users on social engineering tactics, emphasizing threats via collaboration platforms.
5. Review Microsoft Teams audit logs: Look for anomalous account creations, chat invitations, and file transfers from unknown or newly created accounts.
6. Update incident response plans: Include scenarios involving collaboration platform abuse and malware deployment.

How to secure yourself

• Authenticate IT helpdesk contacts: Always verify helpdesk requests through official phone numbers or email addresses, not solely via Teams chat.
• Avoid downloading unsolicited files or clicking links: Even if the sender appears to be internal staff, confirm legitimacy before interacting with attachments.
• Use strong, unique passwords: Combine with MFA to protect Microsoft 365 accounts.
• Keep software updated: Ensure Microsoft Teams and endpoint security tools are patched to mitigate exploitation of vulnerabilities.
• Limit permissions: Restrict the ability to install software or execute scripts to trusted IT personnel only.

2026 update

Throughout 2026, UNC6692 has refined its tactics by enhancing the authenticity of their impersonation profiles and integrating more sophisticated malware evasion techniques. Security vendors have updated detection signatures for SNOW malware, and Microsoft has introduced additional verification features for Teams account creation and communication.

Organizations are increasingly adopting zero-trust models, which have proven effective in limiting lateral movement even after initial compromise. However, the rise of collaboration platform abuse remains a significant challenge, underscoring the importance of user vigilance and layered security controls.

FAQ

What is UNC6692?

UNC6692 is a newly identified cyber threat actor group known for using social engineering and malware deployment tactics targeting enterprise collaboration platforms.

How does UNC6692 use Microsoft Teams to attack?

They impersonate IT helpdesk staff and send chat invitations to targets, tricking them into executing the SNOW malware.

What is SNOW malware?

SNOW is a custom malware suite used by UNC6692 to establish persistence, steal credentials, and facilitate data exfiltration.

Am I affected if I use Microsoft Teams?

If you are part of an organization that uses Teams and receives unsolicited helpdesk messages, you could be at risk.

How can I detect if my account was targeted?

Check Teams audit logs for suspicious chat invitations, and monitor for unusual device behavior or network activity.

What immediate steps should I take if I suspect infection?

Disconnect the affected device from the network, notify your IT security team, and initiate incident response protocols.

Does MFA protect against this attack?

MFA significantly reduces risk by preventing unauthorized access even if credentials are compromised.

Has Microsoft improved Teams security against such threats?

Yes, Microsoft has enhanced verification processes and added features to detect suspicious account behavior.

Can this malware spread beyond the initial victim?

Yes, SNOW malware supports lateral movement within networks to compromise additional systems.

What industries are most targeted?

Finance, healthcare, and technology sectors are among the primary targets due to their reliance on Microsoft 365 tools.

Why this matters

As enterprise collaboration increasingly shifts to platforms like Microsoft Teams, threat actors are evolving their tactics to exploit these trusted environments. UNC6692’s use of IT helpdesk impersonation is a stark reminder that social engineering remains a potent attack vector. The deployment of custom malware like SNOW within these platforms elevates the risk of prolonged undetected intrusions, data theft, and operational disruption.

Understanding and mitigating these threats is critical for organizations aiming to protect their digital infrastructure and maintain business continuity in 2026 and beyond.

Sources and corroboration

This article synthesizes information from multiple corroborating reports, primarily sourced from The Hacker News (https://thehackernews.com/2026/04/unc6692-impersonates-it-helpdesk-via.html), alongside industry threat intelligence updates and Microsoft security advisories released in early 2026.