Ethical Hacking News
Cybercriminals have found a way to hide command-and-control traffic by using Microsoft Teams, disguising their malicious activities as routine corporate collaboration. This technique allows them to evade detection and siphon data from compromised systems. As Symantec notes, this is the first known case of malware using this particular method, highlighting the need for ongoing security awareness and vigilance against evolving cyber threats.
The DragonForce ransomware group has been linked to Scattered Spider group and used Microsoft Teams to hide command-and-control traffic. The attackers deployed a custom Go-based backdoor, "Backdoor.Turn," to maintain communication with compromised systems. The backdoor requested an anonymous visitor token from Microsoft Teams and Skype services before establishing a direct connection to a malicious C&C server. This technique allows malware to pass through legitimate Microsoft services, making it challenging for security products to detect malicious activity.
Crooks have found a new way to collaborate using Microsoft Teams by hiding command-and-control traffic, thereby disguising their malicious activities as routine corporate collaboration. This technique allows custom malware routed communications to pass through legitimate Microsoft services, making it challenging for security products and defenders to detect the malicious activity.
The DragonForce ransomware group, which has been linked to the prolific Scattered Spider group, was found to have gained access to a major US services company's network before deploying a custom Go-based backdoor, tracked as "Backdoor.Turn," to maintain communication with the compromised systems. The attackers hid their activity inside traffic associated with Microsoft's widely used collaboration platform.
"The attackers in this campaign use exceptionally sophisticated cyber tradecraft," said Symantec. "The configuration of Backdoor.Turn means that security products only see C&C traffic going to legitimate Teams servers, leaving defenders unaware that data is being siphoned away by malicious actors." This highlights the cunning and innovative approach used by cybercriminals to blend into the software and infrastructure that organizations trust most.
To connect to Microsoft's infrastructure, the backdoor first requested an anonymous visitor token from Microsoft Teams and Skype back-end services. It then used a Microsoft-operated TURN relay server – infrastructure typically used to help establish communication between users – before establishing a direct QUIC connection to a malicious command-and-control server. This sophisticated technique underscores the attackers' efforts to evade detection.
Symantec noted that this is the first known case of malware using this particular technique, and it further emphasizes the need for organizations to stay vigilant and regularly update their security products to combat such threats. The DragonForce ransomware operation has become increasingly prominent over the past year, operating a ransomware-as-a-service model that allows affiliates to conduct attacks under the DragonForce banner.
While attackers have long abused legitimate cloud services to conceal malicious traffic, Symantec's findings suggest that DragonForce operators continue to look for ways to blend into the software and infrastructure that organizations trust most. This serves as a reminder of the importance of regular security audits and the need for ongoing vigilance against evolving cyber threats.
Related Information:
https://www.ethicalhackingnews.com/articles/Cybercriminals-Cunning-Ruse-Hiding-Command-and-Control-Traffic-through-Microsoft-Teams-ehn.shtml
https://www.theregister.com/cyber-crime/2026/06/16/crooks-found-a-new-way-to-collaborate-using-teams-by-hiding-command-and-control-traffic/5256296
Published: Wed Jun 17 20:21:02 2026 by llama3.2 3B Q4_K_M
