Microsoft Teams Under Siege: UNC6692’s SNOW Malware Blizzard – How Fake Helpdesk Calls Are Bypassing Your Entire Security Stack + Video

Listen to this Post

Featured Image

Introduction

The modern cyber kill chain has evolved far beyond the traditional email phishing lure. Threat actors are now weaponizing the very collaboration tools that enterprises trust most—Microsoft Teams—to execute sophisticated social engineering campaigns that bypass conventional email security perimeters entirely. In a newly discovered campaign by the threat group UNC6692, attackers combine email bombing with fake IT helpdesk impersonation over Microsoft Teams to deliver a custom modular malware suite called “SNOW,” ultimately leading to full domain takeover and credential theft. This attack represents a paradigm shift in initial access tactics, exploiting human trust in enterprise platforms rather than software vulnerabilities.

Learning Objectives

  • Understand the multi-stage attack chain employed by UNC6692, from email bombing to Microsoft Teams impersonation and SNOW malware deployment.
  • Identify the three core components of the SNOW malware ecosystem—SnowBelt, SnowGlaze, and SnowBasin—and their respective functions in post-exploitation.
  • Learn practical detection and mitigation strategies, including Microsoft Teams external access controls, endpoint monitoring, and specific command-line audit techniques.
  • Gain hands-on knowledge of forensic commands and YARA rules to detect SNOW malware artifacts across Windows and Linux environments.
  • Develop an incident response playbook for collaboration platform-based social engineering attacks.
  1. The UNC6692 Attack Chain: From Inbox Flood to Domain Takeover

UNC6692’s campaign is a masterclass in psychological manipulation and technical execution. The attack unfolds in a carefully orchestrated sequence designed to manufacture urgency and trust simultaneously.

Step 1: Email Bombing – Creating the Crisis

The attacker initiates a large-scale email campaign targeting a specific user within an organization, flooding their inbox with hundreds or thousands of spam messages. This tactic serves two purposes: it overwhelms the victim with noise, creating a genuine sense of operational crisis, and it sets the stage for the subsequent helpdesk outreach.

Step 2: Microsoft Teams Impersonation – The “Rescue”

While the victim is still reeling from the email deluge, the attacker sends a Microsoft Teams chat invitation from an external account impersonating an internal IT helpdesk agent. The message references the email disruption and offers immediate assistance. Many users, conditioned to trust internal IT support, accept these external chat invitations without suspicion.

Step 3: The Fake Patch – Delivering the Payload
The fake helpdesk agent directs the victim to click a link that supposedly installs a “local patch” to block the spam emails. In reality, the link opens an HTML page hosted on an attacker-controlled AWS S3 bucket that masquerades as a “Mailbox Repair and Sync Utility v2.1.5”. The page features a “Health Check” button that triggers a credential-harvesting prompt.

Key Technical Detail: The phishing page employs a “double-entry” psychological trick—it auto-rejects the first and second password attempts as incorrect. This reinforces the user’s belief that the system is legitimate and ensures the attacker captures the password twice, reducing the risk of typos.

Step 4: AutoHotkey Execution – The Silent Installer

Once the victim submits credentials, the page downloads a renamed AutoHotkey binary and an accompanying AutoHotkey script from the S3 bucket. Because the binary and script share the same name, AutoHotkey automatically executes the script without additional command-line arguments. This script immediately performs initial reconnaissance and installs the SNOWBELT malicious browser extension.

Step 5: Post-Exploitation – Lateral Movement and Domain Compromise
With SNOWBELT installed, the attacker gains persistent access. The malware downloads additional components—SnowGlaze (a tunneler), SnowBasin (a Python backdoor), and a portable Python environment—from the C2 infrastructure. The attacker then performs internal reconnaissance, scanning for SMB (port 445) and RDP (port 3389) services, dumps LSASS memory for credential extraction, and uses pass-the-hash techniques to move laterally. The final stage involves deploying FTK Imager to extract the Active Directory database along with SYSTEM, SAM, and SECURITY registry hives, which are exfiltrated using LimeWire.

Detection Commands – Windows:

To detect suspicious AutoHotkey execution and headless browser instances, run the following PowerShell commands:

 Check for AutoHotkey processes
Get-Process | Where-Object { $_.ProcessName -like "autohotkey" }

Check for headless Edge instances with suspicious command lines
Get-WmiObject Win32_Process | Where-Object { $<em>.CommandLine -like "headless" -and $</em>.CommandLine -like "msedge.exe" } | Select-Object CommandLine

Check scheduled tasks for headless Edge or AutoHotkey
Get-ScheduledTask | Where-Object { $<em>.TaskPath -like "SysEvents" -or $</em>.Actions -like "msedge.exe" }

Check Windows Startup folder for suspicious shortcuts
Get-ChildItem "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp" -Recurse
Get-ChildItem "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup" -Recurse

2. SNOW Malware Deep Dive: The Modular Ecosystem

SNOW is not a single piece of malware but a layered, modular toolkit designed for stealth, persistence, and deep network compromise. It consists of three primary components:

SnowBelt – The Browser-Based Backdoor

SnowBelt is a malicious Chromium browser extension delivered outside the Chrome Web Store. It disguises itself as “MS Heartbeat” or “System Heartbeat” and serves as the primary persistence mechanism. The extension is loaded by launching Microsoft Edge in headless mode with a command-line argument that bypasses normal extension installation checks.

Persistence Mechanisms:

  • A shortcut is added to the Windows Startup folder that verifies SnowBelt is running and restarts it if necessary.
  • Scheduled tasks are created to launch a windowless Microsoft Edge process that loads the malicious extension.

SnowGlaze – The Tunneling Proxy

SnowGlaze is a Python-based tunneler that runs on both Windows and Linux environments. It establishes an authenticated WebSocket tunnel between the victim’s internal network and the attacker’s C2 infrastructure (often hosted on platforms like Heroku). It disguises malicious traffic by wrapping data in JSON objects and Base64 encoding it, making it appear as legitimate encrypted web traffic. SnowGlaze also facilitates SOCKS proxy operations, allowing arbitrary TCP traffic to be routed through the infected host.

SnowBasin – The Python Backdoor

SnowBasin is a Python bindshell that provides interactive control over the infected system. It operates as a local HTTP server, typically listening on port 8000, and executes attacker-supplied CMD or PowerShell commands, returning results through the SnowGlaze tunnel. Supported operations include remote shell access, data exfiltration, file download, screenshot capture, and basic file management.

Detection Commands – Linux and Network:

 Check for Python processes on unusual ports (SnowBasin typically uses port 8000)
sudo netstat -tulpn | grep 8000
sudo ss -tulpn | grep 8000

Check for WebSocket connections to suspicious domains
sudo tcpdump -i any -1 'port 80 or port 443' -v | grep -i "websocket"

Check for AutoHotkey or suspicious Python scripts in /tmp or /dev/shm
find /tmp -1ame ".ahk" -o -1ame ".py" 2>/dev/null
find /dev/shm -1ame ".ahk" -o -1ame ".py" 2>/dev/null

Check for unusual cron jobs or systemd timers
crontab -l
systemctl list-timers --all
  1. The AWS S3 Abuse: Legitimate Cloud Services as Attack Vectors

A notable aspect of the UNC6692 campaign is the abuse of legitimate cloud infrastructure. The attackers host their phishing pages, AutoHotkey payloads, and credential-harvesting scripts on attacker-controlled AWS S3 buckets.

Attackers Used:

  • `https://service-page-25144-30466-outlook.s3.us-west-2.amazonaws.com/update.html` for the initial phishing page
  • S3 buckets to stage and deliver the AutoHotkey binary and script
  • Credential data exfiltrated to attacker-controlled S3 buckets

This technique bypasses traditional URL reputation and domain-based filtering because the content is hosted on a legitimate, trusted cloud platform. Network monitoring must focus on behavioral anomalies rather than simple domain blacklisting.

Network Detection Commands:

 PowerShell: Check for suspicious outbound connections to AWS S3
Get-1etTCPConnection | Where-Object { $<em>.RemotePort -eq 443 -and $</em>.State -eq "Established" } | ForEach-Object {
$remoteIP = $<em>.RemoteAddress
try {
$reverseDNS = [System.Net.Dns]::GetHostEntry($remoteIP).HostName
if ($reverseDNS -like ".s3.amazonaws.com" -or $reverseDNS -like ".s3..amazonaws.com") {
Write-Host "Suspicious S3 connection from PID $($</em>.OwningProcess): $reverseDNS"
}
} catch {}
}

4. Credential Harvesting and the Double-Entry Trick

The credential-harvesting mechanism used by UNC6692 is particularly insidious. The fake “Mailbox Repair Utility” page presents a login prompt that:

1. Rejects the first password attempt as “incorrect”

2. Rejects the second attempt

  1. Accepts the third attempt, performing a fake mailbox integrity check

This psychological trick serves multiple purposes:

  • It reinforces the user’s belief that the system is legitimate.
  • It performs “real-time validation” to maintain engagement.
  • It ensures the attacker captures the password twice, significantly reducing the risk of typos in stolen credentials.

By the time the user receives a “Configuration completed successfully” message, the attacker has already secured the credentials and potentially established a persistent foothold.

Incident Response Checklist for Credential Theft:

  1. Immediately reset the compromised user’s password and enforce MFA re-enrollment.
  2. Revoke all active sessions and tokens for the affected account.
  3. Review Azure AD/Active Directory sign-in logs for unusual geographic or device-based activity.
  4. Check for any new administrative accounts or group memberships created during the compromise window.
  5. Audit OAuth applications and service principals for unauthorized consent grants.

5. Lateral Movement and Domain Takeover Techniques

Once inside the network, UNC6692 demonstrates a methodical approach to lateral movement and privilege escalation:

  1. Internal Reconnaissance: The attacker uses Python scripts to scan the local network for ports 135, 445, and 3389 and enumerate local administrator accounts.
  2. Credential Dumping: LSASS memory is dumped to extract credential material.
  3. Pass-the-Hash: The attacker uses pass-the-hash techniques to authenticate to additional hosts.
  4. Domain Controller Compromise: The attacker deploys FTK Imager to extract the Active Directory database (NTDS.dit) along with SYSTEM, SAM, and SECURITY registry hives.
  5. Data Exfiltration: Extracted files are exfiltrated using LimeWire.

Forensic Commands – Post-Incident Analysis:

 PowerShell: Check for LSASS dump artifacts
Get-ChildItem C:\Windows\Temp -Recurse -Filter ".dmp" | Where-Object { $<em>.Length -gt 100MB }
Get-ChildItem C:\Users -Recurse -Filter ".dmp" | Where-Object { $</em>.Length -gt 100MB }

Check for FTK Imager execution
Get-WinEvent -LogName Security | Where-Object { $_.Message -like "FTK Imager" }

Check for suspicious scheduled tasks
Get-ScheduledTask | Where-Object { $<em>.TaskName -like "sys" -or $</em>.TaskName -like "update" }

Check for RDP connections from unusual source IPs
Get-WinEvent -LogName Security | Where-Object { $<em>.Id -eq 4625 -or $</em>.Id -eq 4624 } | Select-Object TimeCreated, Message

6. Microsoft Teams Hardening: Blocking the Entry Point

The most critical mitigation strategy for this attack vector is restricting Microsoft Teams external access. UNC6692’s success depends entirely on the ability to send chat invitations from external accounts.

Step-by-Step Teams Hardening:

1. Disable External Teams Access (Recommended):

  • Navigate to Microsoft Teams Admin Center → External Access.
  • Set “Teams and Skype for Business users in external organizations” to “Block all external domains.”
  • Alternatively, create an allowlist of trusted partner domains.

2. Restrict External Chat Invitations:

  • In the Teams admin center, go to Messaging policies.
  • Disable “Chat with external users” for all non-executive users.

3. Enable Teams Security Defaults:

  • In Azure AD, enable security defaults to enforce MFA and block legacy authentication.

4. User Awareness Training:

  • Educate users that legitimate IT helpdesk will never initiate unsolicited contact via Teams chat.
  • Establish a clear, verified channel for reporting suspicious IT outreach.

5. Monitor Teams Activity Logs:

  • Use Microsoft 365 Defender or third-party SIEM to monitor for external Teams chat invitations.
  • Alert on any external user sending chat messages containing URLs or file attachments.

Azure AD / Microsoft 365 PowerShell Commands:

 Connect to Microsoft Teams PowerShell
Connect-MicrosoftTeams

Get current external access settings
Get-CsTenantFederationConfiguration

Block all external domains
Set-CsTenantFederationConfiguration -AllowFederatedUsers $false

Set external access policy
Set-CsExternalAccessPolicy -Identity Global -EnableFederatedAccess $false

Review Teams audit logs for external messages
Search-UnifiedAuditLog -Operations "TeamChatMessage" -StartDate (Get-Date).AddDays(-30) | Where-Object { $_.AuditData -like "External" }
  1. Endpoint Detection and YARA Rules for SNOW Malware

Detecting SNOW malware requires a combination of endpoint monitoring, behavioral analysis, and signature-based detection.

Key Detection Indicators:

  • Browser Extensions: Unauthorized Chrome/Edge extensions named “MS Heartbeat” or “System Heartbeat”.
  • Headless Browser Execution: Microsoft Edge or Chrome launched with `–headless=new` and `–load-extension` flags.
  • Scheduled Tasks: Tasks named with “SysEvents” or similar that launch headless browsers.
  • AutoHotkey Scripts: Unexpected AutoHotkey processes or `.ahk` files in temp directories.
  • Python Processes: Python running on port 8000 or establishing WebSocket connections.

YARA Rule for SnowBelt Detection:

rule SnowBelt_Extension_Detection {
meta:
description = "Detects SnowBelt malicious Chrome extension artifacts"
author = "Threat Intelligence Team"
date = "2026-07-10"
reference = "UNC6692"
strings:
$ext_id = "SnowBelt" nocase
$ms_heartbeat = "MS Heartbeat" nocase
$system_heartbeat = "System Heartbeat" nocase
$manifest = "manifest.json"
$background = "background.js"
condition:
($ext_id or $ms_heartbeat or $system_heartbeat) and ($manifest or $background)
}

SIEM Query (Splunk/Elastic) for Headless Browser Detection:

index=windows EventCode=4688
| where CommandLine contains "msedge.exe" AND CommandLine contains "--headless" AND CommandLine contains "--load-extension"
| table _time, User, CommandLine, ProcessId, ParentProcessName

What Undercode Say:

  • Key Takeaway 1: The UNC6692 campaign proves that social engineering via enterprise collaboration platforms is the new frontier of initial access. Attackers no longer need to exploit zero-day vulnerabilities—they simply need to exploit human psychology and trust in familiar tools.
  • Key Takeaway 2: The SNOW malware ecosystem represents a shift toward modular, multi-platform toolkits that leverage legitimate services (AWS S3, Heroku) and protocols (WebSocket) to evade detection. Traditional perimeter defenses are largely ineffective against this attack chain.
  • Analysis: The attack is financially motivated, with the group focusing on credential theft and domain takeover for resale or extortion purposes. The use of AutoHotkey and headless browsers demonstrates a preference for living-off-the-land (LotL) techniques that minimize the attack surface and reduce the likelihood of detection by traditional antivirus solutions. Organizations must adopt a zero-trust approach to collaboration platforms, treating every external interaction as potentially hostile. The most effective defense remains user education combined with strict technical controls—disabling external Teams access by default and monitoring for anomalous browser and scripting behavior.

Prediction:

  • -1 (Negative): The success of the UNC6692 campaign will inspire a wave of copycat attacks targeting other collaboration platforms (Slack, Zoom, Google Chat) with similar social engineering playbooks. Expect to see this TTP adopted by ransomware affiliates and initial access brokers within the next 3–6 months.
  • -1 (Negative): The abuse of legitimate cloud infrastructure (AWS S3, Heroku) will become increasingly difficult to detect as attackers continue to blend malicious activity with normal traffic patterns. Traditional IP and domain reputation systems will become obsolete for this class of attack.
  • +1 (Positive): Microsoft will likely accelerate the rollout of enhanced external messaging controls and default restrictions for Teams, similar to how Exchange Online tightened external email policies after major business email compromise campaigns. This will raise the baseline security posture for all tenants.
  • -1 (Negative): The “double-entry” credential harvesting technique demonstrates that attackers are investing in user experience design to improve the success rate of their phishing campaigns. This trend toward sophisticated, multi-stage psychological manipulation will make it harder for even security-aware users to distinguish legitimate from malicious interactions.
  • +1 (Positive): The detailed public disclosure of UNC6692’s TTPs by Mandiant and Google Threat Intelligence Group will enable security vendors to develop detection signatures and behavioral rules more rapidly, potentially shortening the window of opportunity for these attacks.

▶️ Related Video (70% Match):

🎯Let’s Practice For Free:

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

IT/Security Reporter URL:

Reported By: Varshu25 Fake – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky