A previously undocumented threat actor is leveraging social engineering via internal collaboration platforms to bypass traditional email security perimeters. This campaign utilizes the inherent trust users place in instant messaging to deploy a custom malware suite for credential theft.
The threat actor, tracked as UNC6692, initiates @[Microsoft](urn:li:organization:1035) Teams chat invitations from external accounts impersonating IT help desk employees. Once the victim accepts, the actor convinces them to download and execute a “security update” which is actually the SNOW malware. This malware exfiltrates browser cookies, stored passwords, and session tokens to facilitate follow-on business email compromise ❨BEC❩.
The shift toward Teams-based social engineering highlights the fragility of internal trust models. When an attacker can message an employee directly through a “trusted” interface, the psychological barrier to running malicious software is significantly lower than with traditional phishing.
– Disable the ability for external users to initiate chat invitations with internal @[Microsoft](urn:li:organization:1035) Teams users unless strictly necessary.
– Update security awareness training to include specific examples of Teams-based social engineering and IT help desk impersonation.
– Enforce phishing-resistant MFA to reduce the utility of harvested credentials and session tokens.
– Monitor Teams logs for anomalous external chat invitations and high-volume messaging events.
Internal chat platforms are the new frontline for social engineering; identity verification must move beyond the username and avatar. #CodeDefence #MicrosoftTeams #UNC6692 #SocialEngineering
/
