'An interesting evolution in tactics': Google security experts flag new cyber scam which abuses Microsoft Teams to steal your data

In an in-depth report Google said it saw UNC6692 - seemingly a new collective - bombard target email inboxes with countless spam messages in a short timeframe.

Soon after, they would reach out to the owner of that inbox via Microsoft Teams, through the cross-tenant feature, and introduce themselves as IT/helpdesk officials. They would say they were tasked with fixing the spam issue and would share a link to a landing page where the alleged fix can be found.

The 'snow' framework

Victims who follow the link are first asked to do a “health check” by clicking a button on the page which prompts the user to authenticate using their email and password which are then siphoned to the attackers’ servers.

Google also noticed the login attempt never works on the first try - which is a deliberate attempt to increase perceived legitimacy and make sure victims don’t share a fake or typo’d password.

After “logging in”, the page then performs an “email integrity check”, which is just a cover for what goes on in the background - the deployment of a malware framework consisting of three elements.

"By the time the user receives a 'Configuration completed successfully' message, the attacker has secured the credentials and potentially established a persistent foothold on the endpoint using these staged files," Google said in the report.

The framework is themed around snow, and contains three tools: SnowBelt, SnowGlaze, and SnowBasin.

The first is a Chromium-based extension that establishes persistence via the browser’s extension registration system. The extensions are often named “MS Heartbeat” or “System Heatbeat”.

The second is a tunneler that creates an authenticated WebSocket tunnel, enabling easy communication and possible data extraction. The third one is a backdoor that allows full endpoint takeover.