Microsoft-Teams on ZX Cloud Securityhttps://zxcloudsecurity.co.uk/tags/microsoft-teams/Recent content in Microsoft-Teams on ZX Cloud SecurityHugoen-GBWed, 18 Jun 2025 13:30:07 +0000DragonForce Abuses Microsoft Teams C2 Traffichttps://zxcloudsecurity.co.uk/posts/dragonforce-ransomware-microsoft-teams-relay-backdoor-turn-c2/Thu, 18 Jun 2026 13:30:07 +0000https://zxcloudsecurity.co.uk/posts/dragonforce-ransomware-microsoft-teams-relay-backdoor-turn-c2/DragonForce ransomware uses a Go-based RAT to hide C2 traffic inside Microsoft Teams relay infrastructure, evading detection on enterprise networks.🟠 High  |  Source: The Hacker News

The DragonForce ransomware group has deployed a custom Go-based backdoor, Backdoor.Turn, that tunnels command-and-control traffic through Microsoft Teams relay infrastructure to evade detection. By blending malicious traffic with legitimate Teams communications, the group makes it significantly harder for defenders to identify or block C2 activity. The technique was observed in an attack against a major US services organisation, flagged by Symantec and Carbon Black.

Security Architect’s Take: Review your Microsoft Teams egress traffic and ensure your CASB or network monitoring tools can inspect and baseline Teams relay communications — legitimate use should never involve unusual outbound patterns or unexpected relay endpoints. Consider implementing Zero Trust network segmentation so that even if a host is compromised, lateral movement and C2 exfiltration via trusted SaaS channels is detected and restricted.

Original advisory: DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic

]]>Malware Hides C2 Traffic in Microsoft Teamshttps://zxcloudsecurity.co.uk/posts/malware-hides-command-and-control-traffic-microsoft-teams/Tue, 16 Jun 2026 14:41:00 +0000https://zxcloudsecurity.co.uk/posts/malware-hides-command-and-control-traffic-microsoft-teams/Custom malware abuses Microsoft Teams to disguise command-and-control traffic as normal collaboration, evading detection in enterprise environments.🟠 High  |  Source: The Register — Security

Attackers have developed custom malware that routes command-and-control traffic through Microsoft Teams, disguising malicious communications as legitimate corporate collaboration activity. By abusing trusted Microsoft services, the malware makes it significantly harder for security tools and analysts to distinguish attacker traffic from normal business use. This technique lowers the risk of detection and complicates incident response, particularly in organisations that heavily rely on Teams.

Security Architect’s Take: Review your Microsoft Teams data loss prevention and conditional access policies, and ensure you have visibility into anomalous Teams API calls or unexpected external tenant communications via Microsoft Purview or a CASB. Consider restricting Teams external access to approved domains only, and correlate Teams activity with endpoint telemetry to surface unusual process-to-network-service relationships.

Original advisory: Crooks found a new way to collaborate using Teams – by hiding command-and-control traffic

]]>