Threat Actors Impersonate Microsoft Teams Help Desk to Deploy SnowBelt Malware Across Enterprises
What Happened – A newly tracked UNC6692 threat cluster uses large‑scale email flooding followed by Microsoft Teams messages that masquerade as IT‑support help‑desk staff. Victims are tricked into installing a malicious “Mailbox Repair Utility” which drops the SnowBelt browser extension, a backdoor that can download additional tools (SnowGlaze, SnowBasin, AutoHotkey scripts, portable Python).
Why It Matters for TPRM –
- The attack exploits trusted SaaS collaboration tools, bypassing traditional perimeter defenses.
- SnowBelt provides persistent access and can harvest credentials, enabling downstream data exfiltration.
- The technique is portable across industries, raising supply‑chain risk for any vendor that integrates Microsoft Teams.
Who Is Affected – Enterprises of all sizes that use Microsoft Teams for internal communication, especially those with limited MFA enforcement on SaaS apps.
Recommended Actions –
- Verify that help‑desk communications are authenticated (e.g., signed emails, verified Teams accounts).
- Enforce MFA and conditional access for all SaaS applications, especially Teams.
- Deploy web‑filtering and endpoint protection that can detect malicious browser extensions.
- Conduct phishing awareness training focused on social‑engineering via collaboration platforms.
Technical Notes – Attack vector combines phishing email flood, social‑engineered Teams messages, and a malicious browser extension (SnowBelt). No specific CVE is cited; the threat relies on user interaction and the trust placed in Microsoft Teams. Data types at risk include corporate credentials, internal documents, and any data accessible through the compromised browser session. Source: The Record