Microsoft Teams Relay Servers Abused in DragonForce Ransomware Attack
Summary
A new Go-based backdoor has been discovered being used by DragonForce ransomware attackers for command-and-control communications via Microsoft Teams relay servers. The attackers are leveraging Microsoft's legitimate infrastructure to obfuscate their malicious traffic and avoid detection.
IFF Assessment
This represents a new attack technique that defenders must now monitor for, as attackers are weaponizing legitimate Microsoft Teams infrastructure to evade security controls.
Defender Context
Defenders need to monitor Teams relay server traffic and implement network controls around Teams infrastructure to detect backdoor communication patterns. This attack exemplifies the trend of adversaries abusing legitimate cloud services (living-off-the-land techniques) to blend malicious traffic with normal business communications, making detection significantly more difficult.