DragonForce Abuses Microsoft Teams Relays to Mask Ransomware C2 Traffic
DragonForce ransomware actors exploited a likely unpatched SQL server vulnerability to gain initial access, then deployed a custom Go-based RAT (Backdoor.Turn) that tunneled command-and-control traffic through legitimate Microsoft Teams relay infrastructure. By blending malicious traffic with trusted collaboration platform communications, the attackers evaded detection for one to two months — a dangerously long dwell time. This highlights how attackers increasingly abuse trusted cloud services to bypass traditional perimeter defenses and signature-based detection. The combination of delayed detection and living-off-the-land-style C2 masquerading significantly amplifies the potential for data exfiltration and full ransomware deployment before defenders can respond.
Tactical Insight
Immediate Actions
- Audit and patch all internet-facing SQL servers and application endpoints against known CVEs immediately.
- Review Microsoft Teams relay and network traffic logs for anomalous outbound connections or unusual relay usage patterns.
Detection Measures
- Deploy behavioral-based NDR (Network Detection and Response) tools capable of identifying C2 patterns within encrypted or trusted-platform traffic.
- Establish baselines for Microsoft Teams traffic volume and flag deviations that may indicate relay abuse for C2 tunneling.
- Implement SIEM correlation rules that trigger alerts when internal hosts communicate with Teams relay endpoints outside of normal business hours or at unusual volumes.
Long-Term Improvements
- Enforce strict egress filtering and network segmentation to limit which internal hosts can communicate with cloud collaboration relay infrastructure.
- Adopt a Zero Trust architecture that continuously validates device and user identity before permitting access to internal resources or cloud services.
- Conduct regular threat hunting exercises focused on living-off-the-land and trusted-service-abuse techniques to reduce mean time to detect (MTTD).