A ransomware group known as DragonForce has been observed abusing Microsoft Teams relay systems to conceal command-and-control (C2) communications, according to recent cybersecurity findings.
Ransomware Gang Exploits Microsoft Teams Infrastructure to Hide Malicious Activity
Security researchers report that the group deployed a custom backdoor, identified as “Backdoor.Turn,” designed to disguise malicious network traffic by routing it through Microsoft’s legitimate communication infrastructure.
The malware leverages the Traversal Using Relays around NAT (TURN) protocol, a standard mechanism used by Microsoft Teams to facilitate communication between users when direct connections are not possible—such as when devices are operating behind private networks or firewalls. By exploiting this system, attackers are able to mask their activity within trusted cloud traffic, making detection significantly more difficult.
Cybersecurity experts say this technique allows threat actors to blend in with normal enterprise communications, reducing the likelihood of being flagged by traditional security monitoring tools. The abuse of widely used collaboration platforms like Microsoft Teams highlights an increasing trend in which attackers rely on legitimate services to bypass defensive systems.
DragonForce, active since at least 2023, has evolved into a structured ransomware operation resembling a cartel-style organization. Analysts have previously linked elements of its activity to the well-known cybercrime group Scattered Spider, suggesting possible overlaps in tactics, infrastructure, or affiliates.
The group is primarily known for deploying ransomware attacks, data theft, and extortion campaigns targeting organizations across multiple sectors. Its adoption of stealth techniques such as relay abuse reflects a broader shift in ransomware operations toward more sophisticated and harder-to-detect methods.
Cybersecurity specialists warn that the misuse of trusted collaboration tools poses a growing challenge for enterprises, as attackers increasingly exploit cloud-based platforms that are essential to modern workplace communication.
Organizations are being advised to strengthen endpoint monitoring, inspect encrypted traffic patterns more carefully, and implement stricter controls on abnormal usage of collaboration services.
The latest findings underscore how ransomware groups continue to adapt their strategies, blending into legitimate digital ecosystems to evade detection while maintaining persistent access to compromised networks.
