UNC6692 deploys Snow malware via Microsoft Teams social engineering, signalling expansion of platform-based attack delivery
Threat actor UNC6692 is using Microsoft Teams to socially engineer targets into executing a custom malware suite called Snow, which comprises a browser extension, tunneler, and backdoor. This represents a shift toward trusted communication platforms as malware delivery vectors, complicating detection and increasing organisational risk.
Affected
UNC6692 has demonstrated operational sophistication by pivoting away from traditional email-based malware delivery toward Microsoft Teams, a platform designed for intra-organisational trust. The Snow malware suite comprises three distinct components: a browser extension for credential interception and session hijacking, a tunneller for command-and-control communication masquerading as legitimate Teams traffic, and a fully-featured backdoor for persistent system access. This modular architecture suggests the group has invested in development and testing rather than deploying readily available tooling.
The attack chain relies on social engineering rather than exploit code, which is operationally sound for UNC6692. Teams messages bypass many perimeter security controls designed to scrutinise email attachments and URLs. The platform's legitimacy in enterprise environments creates cognitive bias within targets, who are conditioned to trust messages from colleagues and partners. Additionally, Teams' integrated file preview and link rendering reduce friction in the infection workflow.
Organisations relying on email security controls, browser isolation, or traditional endpoint detection and response are unlikely to catch this attack pattern effectively. The browser extension component is particularly concerning because it operates within the browser's security context rather than at the system level, evading many host-based detection mechanisms. The tunneller component suggests command-and-control communications will appear as normal Teams traffic to network monitoring tools.
Defenders should implement application-layer controls within Teams, including disablement of external file sharing where organisationally acceptable, enforcement of browser extension policies via group policy or MDM solutions, and monitoring of Teams application logs for suspicious file downloads or link clicks. Endpoint detection should focus on browser extension loading artefacts and suspicious tunnelling traffic patterns. Security awareness training must specifically address the trust asymmetry created by platform legitimacy.
This campaign reflects a broader trend of threat actors adopting widely-deployed, trusted platforms as attack vectors. As email security matures, the attack surface is migrating to Slack, Discord, Teams, and similar services where organisational defences remain nascent. UNC6692's success here will likely inspire similar campaigns from competing groups.
Sources