[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fKVFXXzgab4n-kqltVQrPrrnMVhdl6pn8Z0jFfvt5qyg":3},{"lesson":4},{"id":5,"slug":6,"article_id":7,"title":8,"body":9,"prevention":10,"framework_refs":11,"status":23,"created_at":24,"published_at":25,"article":26,"tags":29},"670c4511-5d5b-4259-bf84-cca0e9a8aace","dragonforce-abuses-microsoft-teams-relays-to-mask-ransomware-c2-traffic","a20b0f61-9bbb-4216-a794-c9bfcd34ec76","DragonForce Abuses Microsoft Teams Relays to Mask Ransomware C2 Traffic","DragonForce ransomware actors exploited a likely unpatched SQL server vulnerability to gain initial access, then deployed a custom Go-based RAT (Backdoor.Turn) that tunneled command-and-control traffic through legitimate Microsoft Teams relay infrastructure. By blending malicious traffic with trusted collaboration platform communications, the attackers evaded detection for one to two months — a dangerously long dwell time. This highlights how attackers increasingly abuse trusted cloud services to bypass traditional perimeter defenses and signature-based detection. The combination of delayed detection and living-off-the-land-style C2 masquerading significantly amplifies the potential for data exfiltration and full ransomware deployment before defenders can respond.","**Immediate Actions:**\n- Audit and patch all internet-facing SQL servers and application endpoints against known CVEs immediately.\n- Review Microsoft Teams relay and network traffic logs for anomalous outbound connections or unusual relay usage patterns.\n\n**Detection Measures:**\n- Deploy behavioral-based NDR (Network Detection and Response) tools capable of identifying C2 patterns within encrypted or trusted-platform traffic.\n- Establish baselines for Microsoft Teams traffic volume and flag deviations that may indicate relay abuse for C2 tunneling.\n- Implement SIEM correlation rules that trigger alerts when internal hosts communicate with Teams relay endpoints outside of normal business hours or at unusual volumes.\n\n**Long-Term Improvements:**\n- Enforce strict egress filtering and network segmentation to limit which internal hosts can communicate with cloud collaboration relay infrastructure.\n- Adopt a Zero Trust architecture that continuously validates device and user identity before permitting access to internal resources or cloud services.\n- Conduct regular threat hunting exercises focused on living-off-the-land and trusted-service-abuse techniques to reduce mean time to detect (MTTD).",[12,13,14,15,16,17,18,19,20,21,22],"CIS Control 7: Continuous Vulnerability Management","CIS Control 12: Network Infrastructure Management","CIS Control 13: Network Monitoring and Defense","NIST SP 800-61 Rev. 2: Incident Response","NIST SI-4: System Monitoring","NIST AC-17: Remote Access","NIST CA-7: Continuous Monitoring","MITRE ATT&CK T1071.001: Application Layer Protocol – Web Protocols","MITRE ATT&CK T1219: Remote Access Software","MITRE ATT&CK T1090: Proxy","NIST SP 800-207: Zero Trust Architecture","published","2026-06-18T14:21:01.781611+00:00","2026-06-18T14:21:01.569+00:00",{"id":7,"url":27,"title":28},"https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fdragonforce-hackers-abuse-microsoft.html","DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic",[30,36,42],{"id":31,"name":32,"slug":33,"description":34,"color":35},"05757c8d-6b93-4194-b35d-7359e7d33b0e","Vulnerability Management","vulnerability-management","Missing scans, no risk prioritization","#fb923c",{"id":37,"name":38,"slug":39,"description":40,"color":41},"1732a005-556e-411c-a9db-5edec3058571","Logging & Monitoring","logging-monitoring","Missing logs, no alerting, blind spots","#a855f7",{"id":43,"name":44,"slug":45,"description":46,"color":47},"f43a7f30-5046-4b10-9dba-1a704139821e","Network Segmentation","network-segmentation","Lateral movement, flat networks, missing firewalls","#06b6d4"]