New Threat Group Exploits Microsoft Teams for Credential Theft and System Compromise

A sophisticated cybercrime campaign targeting organizations through Microsoft Teams impersonation has been identified by Google's Threat Intelligence Group (GTIG). The previously unknown threat group, tracked as UNC6692, combines traditional social engineering tactics with custom malware to establish persistent access to victim systems while harvesting credentials.

Attack Methodology

The campaign, which began with a "large email campaign" in late December 2025, employs a multi-stage approach to compromise victims:

1. Initial Email Flood: Attackers overwhelm target organizations with high volumes of email traffic to create chaos and distraction.

2. Helpdesk Impersonation: Following the email flood, attackers pose as helpdesk personnel and initiate contact via Microsoft Teams, offering assistance with the email volume issues.

3. Phishing for Credentials: The fake helpdesk worker directs victims to a "Mailbox Repair Utility" landing page where they're prompted to authenticate using their email credentials.

4. Credential Harvesting: The phishing page employs a "double-entry" psychological trick that rejects the first two password attempts as incorrect, reinforcing the illusion of legitimacy while ensuring accurate credential capture.

5. Malware Deployment: After credential theft, the attackers deploy a custom malware ecosystem known as "Snow" onto the victim's machine.

The Snow Malware Ecosystem

The Snow malware operates as a modular system with three primary components:

SnowBelt

A JavaScript-based backdoor delivered as a Chromium browser extension, often masquerading under legitimate-sounding names like "MS Heartbeat" or "System Heartbeat." This component provides attackers with an initial foothold and maintains persistence through the browser's extension registration system.

SnowGlaze

A Python-based tunneler that functions in both Windows and Linux environments, managing external communication. It creates authenticated WebSocket tunnels between the victim's internal network and the attacker's command-and-control infrastructure (such as Heroku subdomains). Malicious traffic is disguised by wrapping data in JSON objects and Base64 encoding for transfer via WebSockets, making it appear as legitimate encrypted web traffic.

SnowBasin

A Python bindshell providing interactive control over infected systems. Operating as a local HTTP server typically listening on port 8000, it enables remote command execution, screenshot capture, and data staging for exfiltration.

Compliance Implications

This attack vector presents significant compliance challenges for organizations subject to various data protection regulations:

• GDPR: Organizations may face penalties for inadequate protection of personal data
• HIPAA: Healthcare organizations must ensure Protected Health Information (PHI) remains secure
• PCI DSS: Companies processing credit card transactions must maintain secure environments
• CCPA/CPRA: California privacy regulations require appropriate safeguards for consumer data

The attack demonstrates how threat actors increasingly abuse legitimate communication platforms like Microsoft Teams, bypassing traditional security controls while leveraging trusted services to establish credibility.

Defensive Measures and Compliance Timeline

Organizations should implement the following protective measures:

Immediate Actions (Within 7 days)

1. User Training: Conduct targeted training on recognizing Teams-based impersonation attempts
2. Multi-Factor Authentication (MFA): Enforce MFA across all Microsoft 365 services
3. Email Filtering: Implement advanced email filtering to detect and block suspicious communications

Short-term Implementation (Within 30 days)

1. Teams Security Policies: Configure Microsoft Teams security policies to restrict external communications and guest access
2. Browser Extension Controls: Implement browser extension management policies to prevent unauthorized extensions
3. Network Segmentation: Segment networks to limit lateral movement potential

Medium-term Enhancements (Within 90 days)

1. Endpoint Detection and Response (EDR): Deploy EDR solutions capable of detecting and responding to the Snow malware components
2. WebSocket Monitoring: Implement monitoring for unusual WebSocket traffic patterns
3. Regular Security Assessments: Conduct quarterly security assessments focusing on social engineering vulnerabilities

Long-term Strategy (Ongoing)

1. Zero Trust Architecture: Implement zero trust principles requiring continuous verification of all users and devices
2. Threat Hunting Programs: Establish proactive threat hunting capabilities focused on lateral movement and persistence techniques
3. Incident Response Planning: Update incident response plans specifically addressing Teams-based compromise scenarios

Regulatory Context

This attack campaign follows similar warnings from Microsoft about criminals abusing Teams communications and helpdesk impersonation. While Google's analysis indicates no direct connection between these campaigns, they collectively demonstrate an evolving threat landscape where attackers exploit trusted communication platforms.

Organizations must recognize that compliance with data protection regulations now requires not just traditional perimeter defenses, but also sophisticated protection against social engineering attacks that leverage legitimate services.

For additional technical details about the Snow malware ecosystem, organizations can review Google's Threat Intelligence Group analysis at Google's Security Blog. Microsoft has also published guidance on securing Teams environments at Microsoft Security Documentation.