DragonForce ransomware hid command traffic inside Microsoft Teams for months
Symantec reports that DragonForce ransomware operators stayed hidden inside a major US services firm's network for up to two months by disguising their command-and-control traffic as ordinary Microsoft Teams activity. A new Go-based backdoor, Backdoor.Turn, grabs an anonymous Teams visitor token, routes through a legitimate Microsoft Teams relay server, and then tunnels to the attackers' real server, so defenders watching the network only see connections to genuine Microsoft infrastructure. It is the first known malware to abuse Teams relay servers this way. The attackers also used a custom malicious driver to disable defenses, and installed the backdoor after deploying ransomware, suggesting they kept access for a return visit or to resell.
- Check
- Hunt for anomalous QUIC and Teams-relay traffic and unexpected processes making Teams connections, and review hosts for suspicious drivers, new accounts, and weakened password or firewall settings.
- Affected
- Organizations targeted by DragonForce; because the backdoor blends into legitimate Microsoft Teams traffic, network monitoring alone may miss it, leaving internet-facing database servers and weak segmentation as entry points.
- Fix
- Patch internet-facing SQL and other servers, enforce least privilege and driver-signing controls, monitor for Teams-relay abuse and BYOVD activity, and maintain tested offline backups and network segmentation to limit ransomware impact.