A new threat group is impersonating IT helpdesk staff via Microsoft Teams to deploy malware. Here's how to protect your business and what Indian regulations require.

How UNC6692's Teams Impersonation Attack Threatens Indian SMBs

The Attack That's Fooling Thousands

A previously undocumented threat group called UNC6692 has been systematically impersonating IT helpdesk employees through Microsoft Teams to trick employees into installing malware. Originally reported by The Hacker News, this attack represents a dangerous evolution in social engineering — one that exploits the trust we place in our own IT teams.

The attack is deceptively simple but devastatingly effective. UNC6692 creates fake Microsoft Teams accounts that closely mimic legitimate IT helpdesk staff. They then send Teams chat invitations to employees at target organizations, claiming to be from "IT Support" or "Help Desk." Once the employee accepts the invitation, the attacker guides them through a series of steps to download and execute a custom malware suite called SNOW. This malware establishes persistence, steals credentials, and opens backdoors for further compromise.

What makes this particularly concerning is the psychological element. Microsoft Teams is now synonymous with "work" for millions of Indian professionals. When someone claiming to be from IT support reaches out via Teams, most employees won't think twice — they'll trust it. In my years building enterprise systems, I've seen this pattern repeatedly: the best security controls often fail against the oldest attack vector — human trust.

Unknown number of compromised organizationsConfirmed victims across multiple sectors

Multiple weeksAverage dwell time before detection

Custom SNOW malwarePurpose-built for credential theft and persistence

Why This Matters for Indian Businesses

If you're running an SMB in India, this attack should concern you for several reasons:

First, the regulatory angle. India's Digital Personal Data Protection (DPDP) Act, 2023 requires organizations to implement reasonable security measures to protect personal data. If UNC6692 compromises your systems and exfiltrates customer data, you're not just facing operational damage — you're facing DPDP violations, potential penalties up to Rs 5 crore, and mandatory breach notifications to CERT-In within 6 hours of discovery.

Second, the targeting reality. UNC6692 doesn't discriminate by company size. While they may target large enterprises, the attack method — impersonation via Teams — works equally well against SMBs. In fact, SMBs are often easier targets because they have fewer security controls and less mature incident response capabilities.

Third, the supply chain risk. If you're a vendor or service provider to larger organizations, a compromise of your systems could trigger cascading regulatory consequences for your clients, damaging your reputation and contracts.

When I was architecting security for large enterprises, we always had dedicated security teams and 24/7 monitoring. Most Indian SMBs don't have that luxury. This is exactly why I built Bachao.AI — to make enterprise-grade threat detection and incident response accessible without requiring a full security team.

⚠️

WARNING

If UNC6692 compromises your systems and steals customer data, you have 6 hours to notify CERT-In under India's DPDP Act. Missing this deadline can result in penalties and regulatory action.

Technical Breakdown: How the Attack Works

Let me walk you through the exact attack sequence:

graph TD
    A[UNC6692 Reconnaissance] -->|Identifies target employees| B[Create Fake Teams Account]
    B -->|Mimics IT helpdesk branding| C[Send Teams Invitation]
    C -->|Employee accepts chat| D[Social Engineering Conversation]
    D -->|Tricks employee to download file| E[Malware Execution]
    E -->|SNOW malware installs| F[Credential Harvesting]
    F -->|Establish persistence| G[Lateral Movement]
    G -->|Exfiltrate data| H[Breach Complete]

The Impersonation Technique

UNC6692 doesn't hack Teams directly. Instead, they:

Create legitimate-looking Teams accounts using variations of real IT team member names (e.g., "IT_Support_Official" instead of "IT_Support")
Use generic IT support messaging that doesn't require deep knowledge of the target organization
Guide the victim through credential-stealing downloads, often disguised as security updates or software patches
Deploy SNOW malware, which is designed to:

- Harvest Windows credentials from the compromised machine - Establish persistence through scheduled tasks or registry modifications - Communicate with attacker-controlled command-and-control (C2) servers - Prepare the system for lateral movement across the network

Why SNOW is Dangerous

Unlike off-the-shelf malware, SNOW is custom-built for this threat group. This means:

Antivirus evasion: Standard antivirus signatures won't catch it
Living-off-the-land techniques: It uses legitimate Windows tools (PowerShell, Task Scheduler) to avoid detection
Credential focus: Its primary goal is stealing domain credentials, which gives attackers immediate access to your network

Here's a simplified example of how SNOW might establish persistence using Windows Task Scheduler:

powershell

# This is the type of command SNOW might execute
# (DO NOT RUN THIS — for educational purposes only)

$TaskName = "Windows Update Service"
$TaskDescription = "Legitimate Windows maintenance task"
$Action = New-ScheduledTaskAction -Execute "C:\Windows\Temp\update.exe"
$Trigger = New-ScheduledTaskTrigger -AtStartup
Register-ScheduledTask -TaskName $TaskName -Action $Action -Trigger $Trigger

This creates a scheduled task that runs malware at startup, making it nearly impossible to detect without proper endpoint monitoring.

🛡️

SECURITY

UNC6692 exploits the trust relationship between employees and IT teams. No amount of firewall rules will stop this — you need behavioral monitoring and user awareness training.

Know your vulnerabilities before attackers do

Run a free VAPT scan — takes 5 minutes, no signup required.

Book Your Free Scan

How to Protect Your Business

As someone who's reviewed hundreds of Indian SMB security postures, I can tell you that most aren't prepared for this type of attack. Here's what you need to do:

Protection Layer	Action	Difficulty	Timeline
User Awareness	Train employees to verify IT requests through official channels	Easy	Immediate
MFA Enforcement	Enable multi-factor authentication on all cloud accounts	Easy	1 week
Teams Security	Restrict external Teams invitations and enable guest access controls	Medium	1-2 weeks
Endpoint Monitoring	Deploy EDR (Endpoint Detection & Response) tools	Hard	2-4 weeks
Credential Hygiene	Implement credential guard and restrict local admin access	Medium	2-3 weeks
Incident Response Plan	Document your 6-hour CERT-In notification process	Medium	1 week

Quick Wins You Can Implement Today

1. Restrict External Teams Invitations

In Microsoft Teams Admin Center, limit who can send chat invitations:

Teams Admin Center → Org-wide settings → Guest access
→ Disable "Allow guest access in Microsoft Teams"
→ Or restrict to verified domains only

2. Enable Conditional Access Policies

If you're using Azure AD (now Entra ID), create a policy that requires MFA for Teams logins:

Azure AD → Conditional Access → New Policy
→ Cloud apps: Microsoft Teams
→ Grant: Require multi-factor authentication

3. Create an IT Verification Procedure

Train your team to verify IT requests using this process:

1. If IT contacts you via Teams/email:
   "I'll verify this by calling our IT desk directly"

2. Hang up and call IT using the number from your company
   directory (NOT from the message)

3. Ask: "Did you just send me a Teams message about [topic]?"

4. If NO → Report it to security immediately

4. Check Your Teams Settings

Run this audit on your Teams instance:

bash

# Using Microsoft Teams PowerShell module
Connect-MicrosoftTeams

# List all external access settings
Get-CsTeamsExternalAccessPolicy

# Check guest access status
Get-CsTeamsGuestMeetingConfiguration

# List all teams and their sensitivity labels
Get-Team | Select-Object DisplayName, Visibility, ResourceProvisioningOptions

💡

TIP

Create a "verified IT contacts" list and share it with all employees. When someone gets a Teams message from IT, they should cross-reference it against this list before clicking anything.

The Credential Theft Connection

UNC6692's focus on credential harvesting tells us something important: they're after persistent access, not just a one-time data grab. Once they have valid domain credentials, they can:

Move laterally across your network
Access your cloud storage and email
Modify security settings to maintain backdoor access
Steal customer data over weeks or months

This is why credential monitoring is critical. Here's what you should be tracking:

bash

# On Windows systems, monitor these event IDs for failed logins:
# Event ID 4625 = Failed login attempt
# Event ID 4720 = New user account created
# Event ID 4722 = User account enabled
# Event ID 4756 = Member added to security group

# Use this PowerShell command to export failed logins:
Get-EventLog -LogName Security -InstanceId 4625 -After (Get-Date).AddDays(-1) | 
  Export-Csv -Path "C:\Logs\FailedLogins.csv" -NoTypeInformation

How Bachao.AI Detects This

This attack demonstrates exactly why we built Bachao.AI's Incident Response and Security Training products:

🎯Key Takeaway

1. Dark Web Monitoring (Rs 2,000/month) If UNC6692 steals your credentials, they often appear on dark web marketplaces or in credential dumps. Our monitoring detects this within hours, not weeks.

2. Security Training — Phishing Simulation (Rs 5,000 for 100 users) We run simulated Teams-based social engineering attacks to identify vulnerable employees before real attackers do. This specific attack vector can be tested in our platform.

3. Incident Response (24/7, Rs 50,000 flat fee + hourly retainer) If you're compromised, our team handles your CERT-In notification within the 6-hour window, coordinates with your IT team, and manages the investigation.

4. VAPT Scan (Rs 5,000 for comprehensive assessment) Our penetration testing includes social engineering assessments that specifically test for Teams-based impersonation attacks.

The reality is this: you can't prevent social engineering 100%, but you can detect it faster and respond better. That's what enterprise security teams do, and that's what we've made accessible for Indian SMBs.

Your 6-Hour DPDP Action Plan

If you suspect you've been compromised by UNC6692 or any threat group:

Hour 0-1: Isolate affected systems from the network Hour 1-3: Preserve evidence and contact your incident response team (or call us) Hour 3-5: Notify CERT-In at incident@cert-in.org.in with:

What happened
When you discovered it
What data may have been affected
What immediate actions you've taken

Hour 5-6: Notify affected individuals and regulators

ℹ️

INFO

India's DPDP Act defines a "personal data breach" as unauthorized access, processing, or disclosure of personal data. Even if attackers only accessed data without exfiltrating it, you must notify CERT-In.

The Bottom Line

UNC6692's Teams impersonation attack is effective because it exploits something no firewall can protect against: human judgment. The best defense is a combination of:

User awareness — Train employees to verify requests
Technical controls — MFA, conditional access, Teams restrictions
Detection capability — Monitor for credential theft and unusual activity
Response readiness — Know your CERT-In notification process

For Indian SMBs without dedicated security teams, this combination is challenging to build alone. That's why we built Bachao.AI — to give you enterprise-grade protection without enterprise-grade overhead.

If you want to test your organization's vulnerability to this attack, we can run a simulated Teams-based social engineering assessment and provide a detailed report on your security posture.

Book Your Free Security Assessment →

Written by Shouvik Mukherjee, Founder of Bachao.AI. I spent years architecting security for Fortune 500 companies before realizing that Indian SMBs needed the same level of protection — but at a price they could afford. Follow me on LinkedIn for daily insights on cybersecurity threats affecting Indian businesses.

Originally reported by The Hacker News

Written by Shouvik Mukherjee, Founder of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.

How UNC6692's Teams Impersonation Attack Threatens Indian SMBs

Bachao.AI Research Team

Get cybersecurity insights for Indian SMBs

Exposed to CVEs like this? Run a free VAPT scan — risk score in 2 hours, no credit card.