DragonForce Ransomware Hides C2 Traffic Inside Microsoft Teams Relay Servers
Ransomware operators found a backdoor into your network. It looks exactly like a Teams meeting.
Symantec and Carbon Black disclosed that DragonForce ransomware affiliates deployed Backdoor.Turn — a Go-based implant that tunnels its command-and-control traffic through Microsoft Teams TURN relay servers. The malware obtains an anonymous Teams visitor token, uses a legitimate Microsoft relay for connection setup, then runs an encrypted QUIC session to the attacker’s real C2 server. Firewalls and security tools only see outbound traffic to Microsoft IP ranges — indistinguishable from legitimate Teams usage.
In the confirmed incident, attackers stayed undetected for 1–2 months before deploying ransomware.
Six weeks earlier, MuddyWater — an Iranian state actor — used Teams screen-sharing sessions to harvest MFA credentials from employees who believed they were talking to their IT help desk. Two major threat actors, two completely different techniques, one platform, six weeks apart. The “trust Microsoft infrastructure = trust the traffic” assumption is now a documented attack surface.
Three things to verify: Is anonymous external access via Teams visitor tokens enabled in your tenant? Do your egress rules apply blanket trust to Microsoft IP ranges without inspecting session behavior? Does your SIEM alert on Teams activity from devices not enrolled in Entra ID?
For those who want a deeper dive into this topic:
