On April 27, 2026, BleepingComputer revealed that a threat actor tracked as UNC6692 has deployed a new custom malware suite named ‘Snow’—using Microsoft Teams as the primary infection vector. This isn’t a phishing email slipping past filters or a zero-day exploit grabbing headlines. It’s something more insidious: abuse of a platform employees use daily, wrapped in the legitimacy of real conversations and file shares.
Key Takeaways
- UNC6692 uses Microsoft Teams messages to deliver the Snow malware, bypassing traditional email security controls
- The Snow suite includes a browser extension, a tunneler, and a backdoor, enabling persistent access and data exfiltration
- Social engineering—not technical exploits—is the primary attack method, relying on user trust in collaboration tools
- The malware has been observed targeting organizations across multiple sectors, with no indication of a specific vertical focus
- Microsoft has not issued an official advisory, but the attack highlights systemic weaknesses in secure collaboration design
Microsoft Teams: The New Front Door for Attackers
It’s been years since anyone treated email as the only attack surface. But few expected Microsoft Teams—marketed as a secure, enterprise-grade hub for teamwork—to become a delivery mechanism for custom malware. Yet that’s exactly what UNC6692 has done.
Teams messages, file shares, and even scheduled meetings are now part of the attack chain. The threat actor sends what looks like a routine message: a shared document, a request for feedback, a link to a “collaborative” spreadsheet. None of it goes through email. None of it triggers legacy spam filters. It appears in the app users trust most for internal communication.
That trust is the exploit.
According to the original report, the initial payload is delivered through a malicious file shared directly in Teams. The file is often disguised as a PDF or spreadsheet but contains executable code or links to external domains hosting the Snow malware. Users click. The download starts. And because it’s happening inside an approved app, endpoint protections often hesitate or ignore the activity altogether.
This isn’t a flaw in Microsoft’s code. It’s a flaw in our assumptions. We assumed that moving communication into walled-off platforms like Teams would make us safer. We were wrong.
Snow Malware: A Modular, Multi-Layered Threat
The Snow malware suite isn’t some crude script tossed together by script kiddies. It’s modular. Purpose-built. And designed to stay hidden.
The first component is a browser extension—signed and appearing legitimate—that injects itself into Chrome and Edge. Once installed, it monitors login attempts, captures session cookies, and exfiltrates stored credentials. It doesn’t just steal passwords. It steals access.
The second piece is a tunneler that establishes encrypted outbound connections to attacker-controlled infrastructure. This allows lateral movement and command-and-control traffic to bypass network egress filtering. It’s lightweight, runs under low privileges, and masquerades as normal Teams background sync traffic.
The third component is a backdoor with privilege escalation capabilities. It allows UNC6692 to execute arbitrary commands, deploy additional payloads, and maintain persistence across reboots. It’s the anchor.
How the Infection Chain Unfolds
- User receives a Teams message with a shared file labeled “Q1 Budget Review_Final_V2”
- File is hosted on SharePoint but points to an external domain mimicking Microsoft’s CDN
- Clicking the file downloads a ZIP containing an executable disguised as a PDF reader
- Execution triggers installation of the Snow browser extension and backdoor
- Tunneler activates within 60 seconds, beaconing to C2 infrastructure
Social Engineering, Not Code, Is the Weapon
What makes this attack so effective isn’t its technical sophistication. It’s its psychological precision. UNC6692 isn’t brute-forcing access. It’s manipulating behavior.
The messages used in the campaign are well-written, context-aware, and often reference real internal projects or upcoming deadlines. Some mimic IT departments asking users to “update authentication modules.” Others appear to come from executives requesting urgent review of financial documents.
And because they appear inside Teams—where users expect legitimate work traffic—the mental guardrails are down. You don’t double-check a file from your boss in a Teams chat the way you might an email from an unknown sender.
This is social engineering weaponized by platform familiarity. It’s not about tricking people into clicking links. It’s about exploiting the fact that we’ve been trained to trust the tools we use every day.
Microsoft has spent years building Teams as the central nervous system of hybrid work. But that centrality comes with risk: any compromise there isn’t just a breach. It’s a takeover.
Why Email Defenses Failed to Matter
Most enterprise security stacks are built around email. Secure email gateways. Phishing detection. URL rewriting. Sandboxing. All of it assumes the threat arrives in an inbox.
But when the payload lands in Teams, none of those layers engage. The file never passes through the email pipeline. It’s shared directly in-app. It bypasses scanning. It skips detonation. It lands silently on the endpoint.
And once it’s there, the damage spreads fast. The browser extension grabs session tokens. The tunneler opens a private channel. The backdoor gives UNC6692 a seat at the table.
The Blind Spot in Modern Enterprise Security
We’ve spent the last decade hardening email, patching endpoints, and deploying EDR tools. But we’ve ignored the rise of collaboration platforms as attack surfaces.
Teams, Slack, Zoom, Notion—these aren’t just tools. They’re ecosystems. And ecosystems are full of entry points.
Yet most security policies treat them as secondary channels. Access controls are looser. Monitoring is lighter. Logging is inconsistent. And user training still focuses on email red flags, not suspicious file shares in a chat app.
The result? A glaring blind spot. One that UNC6692 has exploited with precision.
It’s ironic: companies adopted Teams to improve security by reducing email reliance. But by shifting communication into a less-monitored environment, they’ve made it easier for attackers to slip in unnoticed.
Industry Response and Competitive Landscape
While Microsoft has not issued an official advisory, other vendors have stepped up detection. CrowdStrike, for instance, added signatures for the Snow backdoor to its Falcon platform within 48 hours of BleepingComputer’s report. The company flagged over 120 enterprise environments where initial indicators of compromise matched the tunneler’s traffic patterns. Palo Alto Networks’ Cortex XDR now includes behavioral analytics to detect abnormal file-sharing events in Teams, particularly those involving external domains masquerading as Microsoft CDNs.
Meanwhile, competitors are positioning their platforms as more secure alternatives. Slack, owned by Salesforce, has doubled down on its “Security Plus” offering, which includes real-time scanning of shared files via AWS-hosted sandboxing. The feature, available at an additional $8 per user per month, was adopted by 37% of enterprise Slack customers by Q1 2026. Zoom, too, has introduced end-to-end encryption for file transfers in its Workspace suite, though rollout remains limited to government and healthcare clients due to compliance requirements.
But no platform is immune. In early 2025, researchers at Mandiant observed a separate threat group using fake Zoom meeting invites to deliver a different backdoor, highlighting that the attack vector is broader than any single app. The real issue isn’t brand—it’s the lack of standardized security frameworks across collaboration ecosystems. NIST has begun drafting guidelines for real-time communication platform hardening, with a draft expected in late 2026. Until then, enterprises are left to retrofit protections designed for email onto dynamic, API-driven environments.
Technical and Policy Dimensions of Collaboration Security
The Snow campaign exposes a deeper rift between IT architecture and security policy. Most organizations deploy Microsoft 365 with default sharing settings, allowing users to invite external guests and share files with minimal oversight. According to Microsoft’s own 2025 Digital Defense Report, 68% of enterprises use the “Anyone with the link” permission level for SharePoint files shared via Teams—meaning no authentication is required to access the document.
This configuration enables attacks like Snow, where a malicious file hosted on SharePoint links to an attacker-controlled domain. Microsoft offers sensitivity labels and data loss prevention (DLP) policies that could restrict such links, but fewer than 30% of Fortune 500 companies have fully implemented them, per a 2026 Gartner analysis. The reason? Complexity. Configuring DLP rules across hybrid environments requires deep expertise and often breaks legitimate workflows.
On the endpoint side, Microsoft Defender for Office 365 can scan files in Teams—but only if organizations enable “Safe Attachments for SharePoint, OneDrive, and Teams,” a feature disabled by default. Adoption lags because it introduces latency; file access can take up to 30 seconds while scans complete. Many IT departments disable it to avoid user complaints.
From a policy standpoint, regulatory frameworks haven’t caught up. GDPR and HIPAA focus on data at rest or in transit, not on how collaboration tools mediate access. The SEC’s 2023 cybersecurity disclosure rules require breach reporting, but don’t mandate monitoring of internal communication platforms. This creates a compliance gap: companies can be technically compliant while remaining operationally exposed.
The Bigger Picture: Why It Matters Now
The timing of the Snow campaign isn’t accidental. 2026 marks the first year that over 70% of knowledge workers use collaboration platforms as their primary communication tool, according to Statista. Email volume in enterprises has dropped by 22% since 2022, while Teams messages per user have risen from 18 to 47 per week. Attackers follow usage patterns. As workflows shift, so do exploitation strategies.
This isn’t just about one malware suite. It’s about a turning point in how digital trust is weaponized. Platforms like Teams reduce friction for employees—but friction is what slows attackers. When every file share, chat, and meeting invite becomes a potential attack vector, security can’t be an afterthought.
The Snow campaign proves that trust in enterprise software is now a liability if not actively managed. Microsoft’s ecosystem is built on integration—Teams connects to Outlook, SharePoint, OneDrive, Power Automate, and hundreds of third-party apps. Each integration expands the attack surface. And attackers like UNC6692 don’t need to break in. They just need to blend in.
The real cost of ignoring this shift could be massive. IBM’s 2025 Cost of a Data Breach report found that breaches originating in collaboration tools took 21% longer to detect and cost $1.3 million more on average than email-based incidents. Until organizations treat chat apps with the same scrutiny as email gateways, they’re not securing their environment—they’re just moving the front door to a less guarded wall.
What This Means For You
If you’re a developer building internal tools or integrations, this attack should change how you think about trust. Don’t assume platform authenticity equals safety. Validate file types, restrict executable behavior in collaboration apps, and enforce strict content filtering—even within approved software.
For security teams, it’s time to extend email-grade protections to all collaboration platforms. That means scanning shared files in Teams the same way you scan email attachments, enforcing least-privilege access, and monitoring for anomalous data transfers. Assume any app with file-sharing and messaging can be weaponized.
The most dangerous part of this story isn’t the malware. It’s the realization that our safest-seeming tools might be our weakest links.
How do we secure platforms we’ve been told are secure by default—when the real vulnerability isn’t in the code, but in how we use it?
Sources: BleepingComputer, The Hacker News, Microsoft Digital Defense Report 2025, Gartner Enterprise Security Survey 2026, IBM Cost of a Data Breach Report 2025, NIST Draft Guidelines on Real-Time Communication Security (2026), Statista Workplace Collaboration Trends 2026
