Hackers Pose as Microsoft Teams Support to Deploy SnowBelt Malware via Phishing Campaign

Threat actors are leveraging trust in enterprise communication platforms to breach corporate defenses. Mandiant researchers have identified a campaign attributed to UNC6692, which targets organizations by blending social engineering with custom malware delivery. This operation exploits common user workflows and the perceived legitimacy of IT support interactions.

The attack begins with an email overload strategy designed to overwhelm targeted inboxes. Subsequently, the threat actor initiates contact via Microsoft Teams, using an account external to the victim's organization, posing as an IT support professional offering assistance with the email disruption. During this interaction, victims receive instructions to install a supposed "patch." This link directs users to a website disguised as a "Mailbox Repair Utility." The phishing page employs specific social engineering techniques, including a persistent overlay that forces users to switch to Microsoft Edge if accessed from another browser, streamlining the attack's effectiveness. It also deliberately rejects initial password submissions twice, reinforcing legitimacy and ensuring credential capture. Clicking through leads to the download and installation of a malicious browser extension named SnowBelt. This extension functions as a backdoor, granting attackers continued access to corporate accounts without repeated authentication. Once established, SnowBelt facilitates the download of additional components, including malware tools SnowGlaze and SnowBasin, AutoHotkey scripts, and a portable Python environment for further malicious execution. Mandiant highlights this campaign as an evolution in attacker tactics, effectively combining social engineering, custom malware, and abusing trust in enterprise platforms.

Organizations must implement robust security practices to counter such evolving threats. Employee awareness training should focus on identifying sophisticated phishing attempts, especially those involving unsolicited contact via internal communication platforms. Enforce multi-factor authentication (MFA) across all enterprise applications to mitigate credential theft. Deploy advanced endpoint detection and response (EDR) solutions to identify anomalous browser extension installations or unusual script execution. Regularly audit installed browser extensions and enforce strict policies for software installation. Monitor for external user contact attempts on platforms like Microsoft Teams, and educate staff on verifying IT support requests through established internal channels only.