Inside the "Snow" Malware Suite: From a Microsoft Teams Chat to a Full Network Compromise

A Microsoft Teams invite shouldn't be the first link in an attack chain that ends with full network compromise. But that's exactly how the "Snow" malware suite, currently being tracked by Mandiant and Google's Threat Intelligence Group (GTIG), is operating in the wild.

It's a quiet campaign by design, and that's what makes it worth understanding before it shows up in your environment.

The initial vector

The chain starts with a phishing technique that's become increasingly common over the last 18 months: external Microsoft Teams invites used to bypass the trust signals users associate with email-based phishing.

In Snow's case, the attacker delivers an invite for what appears to be an internal IT utility, labeled "Mailbox Repair and Sync Utility v2.1.5." The naming manufactures urgency, mimics IT help-desk language, and arrives through a Microsoft surface most users aren't trained to scrutinize.

Often, the Teams invite is preceded by an email-bombing campaign, a flood of low-quality emails designed to overwhelm the user's inbox so the eventual "fix it" Teams message feels like a relief. Standard social engineering scaffolding, applied to a less-defended channel.

Stage one: SnowBelt

The first stage is a piece of malware called SnowBelt — a JavaScript-based browser extension designed to run headlessly. That's the design choice that matters most.

A headless extension doesn't appear in the user's browser UI. It doesn't show up in extension management interfaces the way most users would expect. And it slips past many EDR products that aren't tuned to monitor extension installation as an attack surface.

Once installed, SnowBelt sits quietly. It harvests credentials, session tokens, and authenticated browser context, which is exactly the kind of data that turns a single endpoint compromise into a much larger problem.

Stages two and three: SnowGlaze and SnowBasin

SnowBelt isn't operating alone. The full Snow suite includes two additional components:

• SnowGlaze — a Python-based tunneler that establishes covert command-and-control channels back to attacker infrastructure

• SnowBasin — a Python-based backdoor that provides persistent remote access to the compromised host

The architecture is modular. SnowBelt handles the credential harvest. SnowGlaze handles the tunneling. SnowBasin handles persistence. Each component is small, single-purpose, and easy to swap out, which makes the campaign harder to fully fingerprint and easier for the operator to update.

The exfiltration: AWS S3 as cover

Where Snow gets clever is in how it moves data out.

Rather than routing exfiltration through dedicated attacker infrastructure that would generate suspicious DNS or unusual outbound connections, the campaign stages payloads and exfiltrated data through attacker-controlled AWS S3 buckets.

The result: outbound traffic that looks indistinguishable from any other legitimate cloud activity. No anomalous domains. No flagged IP reputations. No obvious tells in your egress monitoring.

This is the same playbook we've seen across an increasing number of campaigns over the past year, adversaries living inside legitimate cloud services to evade infrastructure-based detection. Snow is a particularly clean implementation.

What to hunt for, right now

Defensive priorities for any organization running Microsoft 365 with Teams enabled:

• Restrict external Teams invites at the tenant level. The default settings on most tenants are too permissive for the current threat landscape. Federation and external-access controls in the Teams admin center are the first place to tighten.

• Monitor for headless browser process spawning — particularly headless Edge — on endpoints that aren't owned by developers or QA engineers. This is one of the cleanest detection signals for SnowBelt.

• Audit browser extensions across the fleet. Most organizations have no visibility into what extensions are installed where. Snow exploits exactly that gap.

• Watch outbound S3 traffic patterns. You're not going to block all of it — too many legitimate workflows depend on S3 — but anomaly detection on volume and timing patterns is achievable.

The bigger picture

The Snow suite is interesting on its own, but it's also a useful illustration of where threat actor tradecraft is heading. The trend lines are consistent.

Phishing is moving off email and into trusted collaboration channels. Malware is becoming more modular and harder to fingerprint as a single artifact. Exfiltration is increasingly hidden inside legitimate cloud services. And campaigns are running quietly for longer before being publicly tracked.

Each of these shifts widens the gap between when an attack starts and when most security teams can assemble the intelligence picture they need to respond. By the time a typical CTI workflow has finished correlating IOCs from one campaign, the operator has already rotated infrastructure for the next.

Closing

If you're tracking Snow in your environment, the fundamentals haven't changed: tighten Teams external access, get visibility into browser extensions, hunt headless processes, watch egress patterns. The detection logic is solid, and your team can run it.

What's harder to fix manually is the speed at which intelligence about campaigns like this becomes available, correlatable, and actionable inside your specific environment. That's the bottleneck. And it's the part that shouldn't have been manual to begin with.