The DragonForce ransomware group has deployed a custom Go-based backdoor, Backdoor.Turn, that tunnels command-and-control traffic through Microsoft Teams relay infrastructure to evade detection. By blending malicious traffic with legitimate Teams communications, the group makes it significantly harder for defenders to identify or block C2 activity. The technique was observed in an attack against a major US services organisation, flagged by Symantec and Carbon Black.

Security Architect’s Take: Review your Microsoft Teams egress traffic and ensure your CASB or network monitoring tools can inspect and baseline Teams relay communications — legitimate use should never involve unusual outbound patterns or unexpected relay endpoints. Consider implementing Zero Trust network segmentation so that even if a host is compromised, lateral movement and C2 exfiltration via trusted SaaS channels is detected and restricted.

Original advisory: DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic