Your Microsoft Teams IT Chat Is a Trap: How UNC6692 Is Dropping SNOW Malware Under the Guise of “Help Desk” Support (And Why You’re Falling For It)

Picture this: you're mid-Q3 crunch, your Outlook is blowing up with so much spam you can't find your actual work emails, and suddenly a Microsoft Teams notification pings from a user labeled "IT Helpdesk Support – Ticket #882910." They say they've seen the inbox flood you've been complaining about, and they're here to remote in and fix it for you. You click "Accept" without thinking.

Game over. You just let UNC6692 into your org's network, and SNOW malware is about to start stealing every byte of data you have access to. ARE YOU KIDDING ME RIGHT NOW?

This isn't a hypothetical. It's not a drill. It's an active, widespread attack campaign already hitting orgs across the globe, reported by CyberSecurityNews, The Hacker News, theregister.com, BleepingComputer, and Techlicious. And the scariest part? It's stupidly easy to pull off, because it preys on the one thing hackers can't hack: human trust.

The UNC6692 Playbook: How Hackers Are Turning Microsoft Teams Into Their Personal Front Door

Let's start with the star of the show: UNC6692. If you're not familiar with the name, don't worry — you will be. Per The Hacker News, this is the tracked identifier for the threat actor (or crime crew, per The Register) leading this latest wave of attacks. And their playbook is so simple it's offensive.

Step 1: The Setup (AKA Why Your Inbox Is a Mess)

First, they flood your work inbox with spam. Not sophisticated phishing emails with perfect grammar and your CEO's signature — just a massive, annoying wave of junk that makes your actual work impossible to do. Techlicious first broke the news that this isn't an accident: hackers are flooding your inbox on purpose, specifically to make you desperate for help. It's the digital equivalent of a pickpocket spilling your coffee so you're distracted while they steal your wallet.

It works because most employees' first instinct when their inbox goes haywire is to reach out to IT support. Or worse, the hackers reach out to you first via Microsoft Teams, claiming they're from the help desk and they're here to fix the spam problem. CyberSecurityNews confirms that's exactly how they're leveraging Microsoft Teams to breach organizations: posing as IT helpdesk staff, unprompted, in a platform you already trust.

Step 2: The Trust Seduction

Think about it: when was the last time you questioned a chat from "IT Helpdesk"? Never, right? They have the right logo, the right name, the right urgent tone. They might even reference a fake ticket number to make it seem legit. You're already frustrated with your inbox, you're already behind on work, and here's someone offering to fix it all for you. You'd trust them too.

That's the genius of UNC6692's approach. They're not fighting through firewalls or exploiting zero-day vulnerabilities. They're walking right through the front door, wearing a uniform you've been trained to trust. The Register calls them a "crime crew" for a reason — this is organized, calculated, and designed to scale. They don't need to hack Microsoft's code. They're hacking your employees' brains.

SNOW Malware 101: What This “New” Threat Actually Does (Explained for Your Grandma)

We promised a technical breakdown even your grandma could follow, so let's strip away the cybersecurity jargon. No "lateral movement," no "persistence mechanisms," no "C2 callbacks." Just plain English.

First: malware is short for "malicious software." It's any code written to harm your computer, steal your info, or mess with your data. Viruses, ransomware, spyware — all malware, all bad news. The threat actor in this campaign, per BleepingComputer, is deploying a new "Snow" malware (yes, the quotes are part of the official name, hackers love cutesy weather-themed names for destructive code, don't ask us why). The Hacker News refers to the same payload as SNOW Malware, all caps, because apparently this crew thinks all-caps makes their malware sound more intimidating. It doesn't. It just makes it easier to spot in logs.

What does SNOW do? The Register spells it out in plain English: it's used to steal your data. That's it. No fancy ransom notes demanding Bitcoin, no crypto mining that slows your computer to a crawl, no deleting your entire hard drive. Just quiet, efficient data exfiltration. Once SNOW is on your device, it starts copying every file you have access to, every password you've saved, every internal document you've opened, and sending it back to UNC6692's servers.

How does it get on your device? They don't send a shady .exe attachment in an email — that's so 2015, and your email filter would catch it. They use Microsoft Teams, the chat platform your org pays Microsoft millions for every year, to trick you into installing it yourself. It's the digital equivalent of a thief dressed as a cable repairman knocking on your door, saying they need to come in to "check your signal," and you handing them your house keys. You wouldn't do that in real life. Why are you doing it on Teams?

And for the grandmas reading this: if someone you don't know sends you a chat on that work video call app your boss makes you use, asking to "fix your email," hang up immediately. Call your actual IT person using the phone number written on the sticky note on your desk. That's all you need to know. 🔥

The Inbox Flood Setup: Why Hackers Are Spamming You Before They “Help”

Let's drill down on the most diabolical part of this attack, first reported by Techlicious: hackers are flooding your inbox on purpose, then offering to help. This is what cybersecurity pros call a "pretexting" attack, but that's a fancy word for "lying to set up a scam."

Here's how it works step by step, no fancy jargon:

1. Hackers send 10,000 spam emails to your org's employees. Most go to junk, but enough land in inboxes to make everyone miserable.
2. Employees start complaining to each other, to their managers, to their actual IT teams about the spam flood.
3. Within hours, Microsoft Teams chats start popping up from "IT Helpdesk" telling employees they're here to fix the spam problem.
4. Employees, already frustrated and desperate, accept the chats, follow the "IT staff's" instructions, and install SNOW malware.

It's a self-fulfilling prophecy. The hackers create the problem, then sell you the solution. And because the solution comes through Microsoft Teams, a platform your org already trusts, you don't think twice. CyberSecurityNews confirms this is exactly how they're breaching orgs: posing as IT helpdesk staff who are "responding" to the spam flood they caused in the first place.

ARE YOU KIDDING ME RIGHT NOW? This is like an arsonist setting your house on fire, then showing up in a firefighter uniform to "put it out" while they steal your jewelry. It's bold, it's brazen, and it's working because we're all too busy to double-check who we're letting into our inboxes.

The Register notes that this same crime crew is using this exact method to steal data from orgs of all sizes — small businesses, enterprises, nonprofits, you name it. If you use Microsoft Teams, you're a target. Full stop.

Why Your Org’s Teams Security Is a Disaster Waiting to Happen

Let's be brutal here: if your org hasn't locked down external Microsoft Teams chats, you're basically leaving your front door unlocked with a sign that says "rob me." UNC6692 doesn't need to hack Microsoft. They just need your Teams instance to allow external users to ping employees directly. That's it.

Most orgs turn on external Teams chat by default, because it's convenient for talking to clients, vendors, partners. But that convenience comes at a cost: any hacker with a free Microsoft account can make a fake "IT Helpdesk" profile and start pinging your employees. It costs them $0, takes 5 minutes to set up, and can net them millions in stolen data. That's a pretty good ROI for a criminal crew.

The Hacker News notes that UNC6692 is specifically abusing Microsoft Teams' default settings to impersonate IT help desks and deploy SNOW Malware. They're not exploiting a bug in Teams. They're exploiting a feature. That's the part that should keep your security team up at night. You can patch bugs. You can't patch human trust, and you can't patch a feature that's working exactly as intended.

BleepingComputer adds that this threat actor is using "new" Snow malware, meaning they're updating their payload as defenses catch up. This isn't a one-off attack. This is an ongoing campaign, with updated tools, active support, and a playbook that's already proven to work. They're not going away anytime soon.

And yet, most orgs are doing nothing. They're not training employees to spot fake Teams chats. They're not locking down external communications. They're not monitoring for suspicious SNOW malware activity. It's the cybersecurity equivalent of the "This is fine" dog meme, except the fire is your entire customer database, and the dog is your IT team drinking coffee while UNC6692 steals your data. 🔥

Don’t Be the Employee Who Let UNC6692 Steal Your Org’s Data: 7 Dumb-Simple Rules to Stay Safe

Enough doom and gloom. Let's talk about what you can actually do to protect yourself, your team, and your org. These rules are funny, useful, and require zero technical expertise:

• Never accept a Teams chat from someone claiming to be IT support without verifying via a second channel. Call your actual IT desk's published phone number, not the one the "agent" gives you. If they get mad that you verified? Good. Hang up. They're not supposed to be mad you're being careful.
• If your inbox is suddenly flooded with spam, do NOT click the "help" chat that pops up 10 minutes later. Hackers are doing the flooding on purpose to make you desperate, per Techlicious. It's a setup, not a kindness. Report the spam to your actual IT team, then ignore any chats about it.
• Ask for a ticket number. Real IT support always has a ticket number. If they say "we're just here to help, no ticket needed," they're lying. Run. Every legitimate IT interaction has a paper trail, period.
• Enable 2FA on your Microsoft account yesterday. Even if they trick you into giving up your password, they can't get in without your second factor. Yes, it's annoying to pull out your phone every time you log in. No, it's not more annoying than a data breach that makes headlines and gets you fired.
• Train your grandma. No, seriously. If she works in an office that uses Teams, send her the grandma-friendly breakdown from earlier. We're not leaving anyone behind. If she can spot a fake help desk chat, you can too.
• If a "help desk" agent asks you to download anything via Teams, say no. Real IT uses approved remote access tools that are already installed on your device. They never send random links or files in chat. Ever.
• Report suspicious chats to your actual IT team immediately. Don't ghost them, don't block them, don't argue with them. Take a screenshot, report the user, and move on. You might save your entire org's data with one email.

Final Verdict

Let's wrap this up with zero fluff: this attack is embarrassingly simple, which makes it terrifying. UNC6692 isn't using nation-state hacking tools or zero-day exploits. They're using Microsoft Teams, a tool your org already pays for, to pose as the people you're supposed to trust most: IT support. They're flooding your inbox to make you desperate, then swooping in to "save" you while dropping SNOW malware to steal your data. ARE YOU KIDDING ME RIGHT NOW?

This isn't a niche threat. CyberSecurityNews, The Hacker News, theregister.com, BleepingComputer, and Techlicious are all sounding the alarm. The playbook is public, the threat is active, and your employees are the only firewall standing between UNC6692 and your customer data. If you're not training them, locking down Teams, and monitoring for SNOW malware, you're not taking this seriously.

So do your job: share this post with your IT team, enable 2FA, train your staff, and for the love of all that is holy, stop accepting random Teams chats from people claiming to be help desk. If you don't, don't say we didn't warn you. Now go forth and secure your Teams instance, or we're coming for you next. 😉