A previously unknown cybercriminal group has been identified conducting data-theft attacks by impersonating IT helpdesk staff through Microsoft Teams chat invitations while simultaneously deploying custom malware, according to research published Friday by Google's Threat Intelligence Group.
A newly discovered threat group is combining familiar social engineering techniques with bespoke malicious software to compromise corporate networks, Google's Threat Intelligence Group (GTIG) warned this week.
The crime crew's method of attack centres on Microsoft Teams, the widely used workplace communication platform. Attackers initiate unsolicited chat sessions while posing as internal IT helpdesk personnel, using the apparent legitimacy of the platform to lower victims' defences. Once trust is established, the group deploys custom malware that researchers have named 'Snow' to exfiltrate sensitive data from targeted systems.
A Familiar Playbook With a New Twist
The social engineering tactics themselves — impersonating helpdesk staff, creating a sense of urgency around a technical problem — are well-worn approaches in the cybercriminal toolkit. What distinguishes this group is the use of purpose-built malware rather than off-the-shelf tools commonly available on criminal marketplaces. Custom malware typically signals a more sophisticated or well-resourced threat actor, and can make detection harder since it lacks the known signatures of widely circulated malicious software.
Microsoft Teams has become an increasingly attractive target for threat actors as organisations have embedded it deeply into their daily operations. Because employees routinely receive legitimate helpdesk communications through the platform, malicious messages can blend convincingly into normal workflows.
Broader Trend of Teams-Based Attacks
This incident is not the first time Microsoft Teams has been exploited in this manner. Security researchers have documented multiple campaigns in recent years using the platform as an initial access vector, including attacks attributed to both criminal groups and nation-state actors. Microsoft has responded to some of these campaigns by tightening default settings around external chat requests, though organisations must actively configure these controls to benefit from them.
Google's GTIG did not publicly attribute the group to any known nation-state or criminal organisation, describing them as previously unknown. Further technical details about the Snow malware — including its full capabilities, persistence mechanisms, and command-and-control infrastructure — were not fully disclosed in the initial report, a common practice when investigations are ongoing.
What Organisations Should Do
Security professionals recommend that organisations restrict or disable external Microsoft Teams messaging from unknown domains, train employees to verify the identity of any unsolicited IT contact through a separate, known communication channel, and apply the principle of least privilege to limit the damage any successful intrusion can cause.
Google's disclosure serves as a reminder that even mature, widely deployed enterprise tools carry inherent risks when they intersect with human trust — a vulnerability that technical controls alone cannot fully address.
Analysis
Why This Matters
- Enterprise risk is immediate: Microsoft Teams is deployed across millions of organisations worldwide, meaning the potential attack surface for this technique is vast. Any employee who receives an unsolicited Teams message from someone claiming to be IT support is a potential target.
- Custom malware raises the stakes: The development of bespoke 'Snow' malware suggests this group has meaningful technical resources and intent to evade standard detection tools, making it harder for security teams relying on signature-based defences to catch infections early.
- Disclosure may accelerate copycat attacks: Publishing details of a successful technique — even partially — can inspire imitation by other criminal groups before defenders have fully adapted.
Background
Microsoft Teams emerged as a dominant workplace communication tool during the COVID-19 pandemic, growing from approximately 32 million daily active users in 2019 to over 300 million by the mid-2020s. This rapid adoption created fertile ground for attackers, who recognised that employees had been trained to trust and act on messages received through the platform.
High-profile Teams-based attacks began attracting public attention around 2023, when threat actors linked to the Russian group Midnight Blizzard (also known as Cozy Bear) were found using compromised Microsoft 365 tenants to send phishing messages via Teams. Separately, researchers documented criminal groups using Teams to deliver ransomware by posing as technical support. These incidents prompted Microsoft to introduce additional external access controls, though adoption of those controls has been uneven across organisations.
The use of helpdesk impersonation as a social engineering vector has an even longer history, dating back to telephone-based 'vishing' attacks long before enterprise chat platforms existed. The migration of this technique to Teams represents an evolution rather than an invention.
Key Perspectives
Security researchers (Google GTIG): The identification and public disclosure of this group is intended to help defenders recognise the attack pattern and build appropriate detections before the campaign scales further. Researchers emphasise the combination of social engineering and custom tooling as the key differentiator.
Organisations and IT administrators: Many security teams are stretched thin managing alerts across multiple platforms. Teams-based threats add another channel to monitor, and the helpdesk impersonation angle is particularly dangerous because employees are culturally conditioned to comply with IT requests quickly.
Critics and skeptics: Some security professionals argue that repeated warnings about Teams-based attacks have not translated into meaningful changes in default platform configurations or employee behaviour, suggesting that vendor action — not user education alone — is needed to raise the baseline level of protection.
What to Watch
- Microsoft's response: Whether Microsoft moves to tighten default settings for external Teams communications further, or issues specific guidance addressing this campaign.
- Expansion of Snow malware sightings: If other threat intelligence firms begin reporting Snow malware detections, it would indicate the campaign is scaling and spreading beyond its current footprint.
- Attribution developments: Google's GTIG may release follow-up reporting as the investigation matures, potentially linking this group to known criminal ecosystems or state-sponsored activity.