Microsoft · The Register
Crime crew impersonates help desk, abuses Microsoft Teams to steal your data
Compiled by KHAO Editorial — aggregated from 1 outlet. See llms.txt for citation guidance.
◌ Single Source
A previously unknown threat group using tried-and-tested social engineering tactics - Microsoft Teams chat invitations and helpdesk staff impersonation - is also using custom malware in its data-stealing attacks, according to Google's Threat Intelligence Group.
Key facts
- The threat hunters say they spotted a "large email campaign" in late December 2025
- A previously unknown threat group using tried-and-tested social engineering tactics
- Microsoft Teams chat invitations and helpdesk staff impersonation
- is also using custom malware
- Then someone posing as helpdesk personnel would reach out via Microsoft Teams to offer help with the email volume
- The Snow malware, they're told, operates as a modular ecosystem with three primary components: SnowBelt, SnowGlaze, and SnowBasin
Summary
The threat hunters say they spotted a "large email campaign" in late December 2025. The fake helpdesk worker prompts the user to click a link that supposedly installs a local patch that prevents email spamming. The credential-harvest script also uses a sneaky "double-entry" psychological trick that auto-rejects the first and second password attempts as incorrect. "This serves two functions: it reinforces the user's belief that the system is legitimate and performs real-time validation, and it ensures that the attacker captures the password twice, significantly reducing the risk of a typo in the stolen data," according to GTIG.