Ransomware gang abuses Microsoft Teams relays to hide malicious traffic
Summary
The DragonForce ransomware group has been observed using a custom backdoor, dubbed 'Backdoor.Turn,' to conceal its command-and-control (C2) traffic within Microsoft Teams relay infrastructure. This tactic allows the attackers to blend malicious communications with legitimate Teams activity, making detection more challenging for security defenders.
IFF Assessment
Attackers are leveraging legitimate cloud infrastructure and communication platforms to obfuscate their malicious activities, posing a greater challenge for detection and defense.
Defender Context
This technique highlights the growing trend of ransomware gangs abusing cloud services and legitimate applications to hide their C2 infrastructure. Defenders should focus on monitoring unusual traffic patterns within cloud collaboration tools and implementing robust network segmentation to limit the blast radius of potential compromises.