Bottom Line: Ransomware operators hide C&C communications using custom malware in trusted Microsoft Teams infrastructure to evade network detection systems.
The ransomware group DragonForce uses a custom backdoor called “Backdoor.Turn” to obfuscate command-and-control traffic via Microsoft’s Teams relay infrastructure. This approach makes detection and tracking of attackers significantly more difficult.
The ransomware group DragonForce deploys a specially developed backdoor called “Backdoor.Turn” to route its command-and-control communication (C&C) through Microsoft Teams’ relay infrastructure. This embeds the malware-related network traffic within legitimate, encrypted Microsoft communications traffic.
This technique has significant consequences for security leaders and network monitoring: traditional blocklists or reputation checks of network domains are ineffective because the Microsoft servers used are classified as trusted. The malicious traffic can hide within logs of legitimate Teams communications, which delays or impedes forensic analysis and incident response processes.
CISOs should address the incident in two dimensions: first, through enhanced monitoring of Microsoft Teams traffic for anomalies (unexpected destinations, unusual timing patterns, high data volumes). Second, through strengthening endpoint detection and response (EDR) on affected systems to detect suspicious processes and authentication events before the backdoor is installed. A review of network segmentation and access controls for Teams relay traffic in internal policies is also warranted.
Source: www.bleepingcomputer.com · Published June 16, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrasing and classification by Lumi News Pipeline v1.7.1.