Google warns of new Microsoft Teams helpdesk scam that steals passwords and installs malware on company systems

Google has issued a fresh cybersecurity warning about a sophisticated scam in which attackers use Microsoft Teams chat invitations, fake IT helpdesk messages and phishing pages to steal employee credentials and gain long term access to corporate systems.

The alert comes from Google Threat Intelligence Group, which said a cybercriminal cluster tracked as UNC6692 used these tactics in a major campaign last year. According to researchers, the attackers targeted businesses by first overwhelming employees with spam email traffic, then approaching them through Microsoft Teams while pretending to be internal technical support staff.

The campaign highlights how cybercriminals are increasingly blending trusted workplace tools with social engineering methods to break into enterprise networks.

Google said the attack often starts with large volumes of spam email sent to employees inside a company. The flood of messages creates confusion and frustration, making staff more likely to accept outside help.

Once the email disruption begins, a person posing as IT support contacts the targeted employee through Microsoft Teams. The fake support worker claims they can resolve the spam problem and directs the victim to install a supposed fix.

Researchers said victims are then sent a link to what appears to be a legitimate repair page called Mailbox Repair Utility. The page includes a Health Check button designed to look like an internal company tool.

One of the more deceptive features identified by Google is a tactic that asks victims to type their password more than once.

The fake portal intentionally rejects the first and second login attempts. This makes the site appear genuine because many users assume they simply mistyped their credentials.

Google researchers said this serves two purposes. First, it strengthens the illusion that the system is authentic and validating the password in real time. Second, it allows attackers to capture the password twice, reducing the chances of collecting incorrect data caused by typing mistakes.

While the victim believes the system is verifying credentials, the stolen information is quietly transmitted to attacker controlled cloud storage infrastructure.

After the login process, the fake page displays what looks like a mailbox scan or repair sequence. During this time, additional malicious files may be silently downloaded to the user’s device.

Collected system metadata

Installed persistence tools

Opened pathways for later remote access

Begun reconnaissance inside the company network

This method is especially dangerous because many victims may believe the issue has been resolved and continue using the device normally.

Google said the broader malware framework used by UNC6692 includes three main components.

SnowBelt is described as a JavaScript based backdoor disguised as a browser extension. It may appear under names such as MS Heartbeat or System Heartbeat.

Its main purpose is to help attackers maintain access over time and interact with infected systems through the browser.

Google noted that SnowBelt is not available through the Chrome Web Store and is distributed through deception and social engineering.

SnowGlaze is a Python based tunneling tool that works on both Windows and Linux systems.

It creates communication tunnels between compromised devices and attacker infrastructure. Researchers said the tool hides malicious traffic by wrapping data in JSON objects and using Base64 encoding, making activity look more normal in some monitoring environments.

SnowBasin is a Python based backdoor used for direct attacker operations.

Capture screenshots

Prepare stolen data for transfer

Support reconnaissance tasks inside networks

Researchers explained that commands such as checking user accounts or system identity can be sent through the malware chain and returned to the attacker through the same hidden channel.

Security analysts say collaboration platforms like Microsoft Teams have become attractive targets because employees trust them and use them every day.

Unlike suspicious external emails, a Teams message offering help may appear routine during a technical problem. In busy workplaces, staff may react quickly without verifying whether the sender is legitimate.

This reflects a wider trend in cybercrime where attackers no longer rely only on malware attachments. Instead, they exploit human behavior, urgency and trust in common business tools.

Google noted that similar helpdesk impersonation tactics have previously been associated with groups such as ShinyHunters and Lapsus$.

However, researchers said there is currently no confirmed evidence linking those groups directly to UNC6692.

That distinction is important because cyber tactics often spread between criminal actors, with multiple groups copying successful methods.

The warning follows separate reports from Microsoft about scams involving fake helpdesk personnel contacting users through Teams.

Although researchers said the campaigns were unrelated, both incidents point to a clear pattern: business messaging platforms are becoming active battlegrounds for cybercrime.

Cybersecurity experts say companies should treat unexpected support messages with caution, even when they arrive through internal collaboration apps.

Never enter passwords after clicking unsolicited links

Use multi factor authentication on employee accounts

Restrict installation of browser extensions and unknown tools

Train staff to identify phishing attempts inside chat platforms

Monitor unusual login activity and cloud data transfers

Organizations should also ensure employees know that legitimate support teams rarely ask for passwords through chat.

The latest Google warning shows how attackers are adapting to modern workplace habits. As businesses rely more heavily on chat apps, cloud systems and remote collaboration, criminals are searching for the weakest point in the chain: user trust.

For companies, the message is clear. Security defenses must now cover not only email inboxes, but also collaboration platforms where employees communicate every day.

The UNC6692 campaign demonstrates that a simple Teams message can become the starting point for a serious network breach if staff are not prepared.