DragonForce Ransomware Gang Abuses Microsoft Teams Relays

The DragonForce ransomware gang used Microsoft Teams relay infrastructure to hide malicious command-and-control traffic during a recent attack on a U.S. firm [1, 2].

This technique is significant because it allows attackers to bypass security defenses by making their communications appear as legitimate business traffic. By leveraging trusted cloud services, ransomware operators can maintain persistence within a network while avoiding detection by security software that typically trusts Microsoft domains [3, 7].

To execute the operation, the hackers deployed a custom malware known as Backdoor.Turn [1, 6]. This tool routed traffic through Microsoft Teams relay servers, which served as an intermediary between the infected system and the attackers' own servers [1, 4]. The malware specifically abused Teams visitor tokens to mask the nature of the data being transmitted [1, 4].

The attack occurred this month and targeted a firm based in the United States [2, 4]. By routing the traffic through the global Microsoft Teams infrastructure, the DragonForce-linked hackers ensured that the activity blended in with the standard noise of a corporate environment [3, 5].

Security researchers said that the primary goal of this method was to conceal the command-and-control traffic from defenders [2, 7]. When security tools monitor network traffic, they often see connections to Microsoft services as benign. The use of a relay effectively blinds defenders to the fact that a malicious actor is controlling the system from the outside [1, 7].

This incident highlights a growing trend where ransomware groups move away from standalone servers and toward the abuse of legitimate cloud infrastructure to facilitate their operations [3, 5].