The DragonForce ransomware operation has begun using a custom backdoor tool that hides its command-and-control communications inside Microsoft Teams relay infrastructure, according to recent threat intelligence findings. The malware, designated Backdoor.Turn, represents a sophisticated evasion technique that exploits the trusted nature of Microsoft's collaboration platform to avoid detection by security tools.

DragonForce has emerged as an active ransomware threat actor targeting organizations across multiple sectors. By developing custom malware specifically designed to abuse Microsoft Teams infrastructure, the group demonstrates technical capability and an understanding of how enterprises rely on cloud-based collaboration tools for daily operations.

Backdoor.Turn works by tunneling command-and-control traffic through Microsoft Teams relay servers, effectively disguising malicious communications as legitimate business traffic. This approach takes advantage of the fact that most organizations whitelist Microsoft Teams traffic and do not subject it to the same level of scrutiny as other network connections. Security tools that rely on reputation-based filtering or standard traffic analysis may fail to identify the malicious activity hidden within these trusted channels.

The use of legitimate infrastructure for malicious purposes creates significant challenges for security operations teams. Organizations that depend on Microsoft Teams for communication may find it difficult to distinguish between normal user activity and attacker traffic without implementing specialized detection methods. This technique also complicates incident response efforts, as blocking the malicious traffic could disrupt legitimate business communications.

Security teams should implement enhanced monitoring for Microsoft Teams relay traffic, looking for unusual patterns such as connections from unexpected geographic locations or during off-hours. Network segmentation and endpoint detection tools capable of behavioral analysis can help identify suspicious activity even when it uses trusted infrastructure. Organizations should also ensure their security information and event management systems are configured to correlate Teams traffic with other indicators of compromise across their environment.

Source: https://www.bleepingcomputer.com/news/security/ransomware-gang-abuses-microsoft-teams-relays-to-hide-malicious-traffic/