Ransomware gang abuses Microsoft Teams relays to hide malicious traffic

Live updates

1. 11d ago

   DragonForce Ransomware Uses Microsoft Teams Relays to Evade Detection

   The DragonForce ransomware group is exploiting Microsoft Teams' TURN relay servers to conceal command-and-control (C2) traffic, marking the first known abuse of this infrastructure for malware operations. The attack uses a Go-based backdoor called Backdoor.Turn to blend malicious activity with legitimate Teams communications. Multiple reports confirm this as an active tactic, with some sources linking it to a previously unknown Huawei driver vulnerability. The technique allows attackers to bypass security defenses by masking their traffic as routine Teams relay activity.

   What's confirmed:

   • DragonForce ransomware is using Microsoft Teams' TURN relay servers to hide command-and-control traffic, making malicious activity appear legitimate.
   • Backdoor.Turn, a Go-based remote access trojan (RAT), is the first known malware to abuse Microsoft Teams relays for this purpose.
   • The attack exploits Teams visitor tokens to route malicious communications through Microsoft's own infrastructure.
   • This tactic allows attackers to evade traditional network-based security defenses designed to detect suspicious traffic patterns.
   • Some reports indicate the attackers may have leveraged a previously unknown vulnerability in a Huawei driver to facilitate the attack.

   Still unconfirmed:

   • The DragonForce campaign is specifically targeting UK small and medium-sized businesses (SMBs) alongside this new tactic.
   • Fortinet FortiSandbox flaws are being actively exploited in conjunction with the Microsoft Teams relay abuse.
   confidence 98%