The DragonForce ransomware gang has developed a custom malware strain, dubbed 'Backdoor.Turn,' that leverages Microsoft Teams relays to hide its command-and-control (C2) traffic. By piggybacking on the legitimate relay infrastructure, the malware blends malicious communications with normal Teams traffic, making detection significantly harder for traditional network defenses. BleepingComputer reported the finding earlier today.
This technique exploits the trust that organizations place in widely used collaboration platforms. Instead of establishing suspicious outbound connections to unknown IPs, the malware routes C2 data through Microsoft's own Teams relays. This approach effectively bypasses many security tools that whitelist Microsoft services. The severity is elevated by DragonForce's history of deploying ransomware payloads that encrypt files and demand payment.
Technical details indicate that 'Backdoor.Turn' establishes a covert channel using the Teams relay protocol. The malware masquerades its data as standard Teams signaling, enabling bidirectional communication with the attackers. Analysts found that the backdoor can receive commands to execute additional payloads, exfiltrate data, or manipulate compromised endpoints. Indicators of compromise include unusual Teams relay connection patterns and unexplained outbound traffic to Microsoft endpoints.
No specific patches or workarounds have been released for this abuse method, as the vulnerability lies in how Teams relays are trusted, not in the software itself. Organizations are advised to monitor Teams relay logs for anomalous connections and restrict outbound relay traffic to only known endpoints. Microsoft is reportedly investigating the campaign.
Attribution points directly to DragonForce, a ransomware group known for targeting critical infrastructure. This development underscores a growing trend of threat actors exploiting trusted SaaS platforms—a tactic that requires a shift in defensive strategy toward application-layer monitoring and behavior analytics.