Attackers are abusing trusted collaboration platforms to disguise malicious communication and bypass traditional security monitoring.
Cybercriminal groups are finding new ways to hide their activities inside trusted business services. The latest example involves the DragonForce ransomware operation, which has developed a custom backdoor capable of hiding command-and-control communication through Microsoft Teams relay infrastructure.
Security researchers identified a malware strain named Backdoor.Turn that abuses Microsoft Teams’ TURN (Traversal Using Relays around NAT) technology. TURN helps applications maintain communication when direct connections are unavailable, especially across private networks and restricted environments.
Instead of communicating directly with attacker-controlled infrastructure, Backdoor.Turn routes traffic through legitimate Microsoft Teams relay services. As a result, security teams may see network activity connected to Microsoft infrastructure rather than a suspicious external server.
This technique creates a major detection challenge because attackers are blending malicious traffic with trusted enterprise services.
DragonForce, a ransomware group active since 2023, has continued expanding its capabilities through advanced evasion techniques. The group has adopted a cartel-style model and has been associated with high-profile cybercrime activity, including links to the Scattered Spider ecosystem.
Researchers observed the malware during an attack against a major U.S. services organization. The attackers likely gained initial access by exploiting an unknown vulnerability affecting SQL or MSSQL infrastructure.
After gaining access, the threat actors deployed a ZIP archive containing legitimate tools along with malicious components designed for DLL side-loading. They then increased control over the environment by creating unauthorized accounts, changing security policies, and modifying firewall configurations.
Additionally, DragonForce used a Bring Your Own Vulnerable Driver (BYOVD) technique by abusing a vulnerable Huawei driver. This method allows attackers to disable or bypass security controls by exploiting trusted but vulnerable drivers.
The use of Microsoft Teams relay infrastructure represents a broader trend in cyberattacks: attackers are increasingly hiding inside legitimate cloud and communication platforms. Traditional security approaches that rely only on blocking known malicious domains or IP addresses may struggle against these methods.
For organizations, this highlights the importance of behavior-based detection, identity monitoring, endpoint visibility, and network analysis. Security teams should focus on identifying unusual application behavior rather than assuming trusted services are always safe.
CISOs and security leaders should also review how collaboration platforms are monitored within their environments. Trusted SaaS applications can become attractive channels for attackers because they already have permission, visibility, and user trust.
As ransomware groups continue improving their techniques, organizations must prepare for attacks that do not look like traditional malware activity. The future of defense will depend on detecting abnormal behavior across the entire digital ecosystem.