A new DragonForce ransomware attack campaign has been observed abusing Microsoft Teams relay servers for command-and-control (C2) communications. The attackers deployed a novel Go-based backdoor, which communicates through legitimate Microsoft Teams infrastructure to evade detection.
The technique leverages Teams relay servers as a covert channel, blending malicious traffic with normal business communications. This approach allows the backdoor to bypass traditional network security controls that might filter non-standard protocols or destinations.
Technical analysis reveals the Go backdoor establishes persistent access by connecting to Microsoft Teams servers, using the platform's relay functionality to receive instructions and exfiltrate data. This method significantly increases the difficulty of detection, as the traffic appears to originate from a trusted Microsoft service.
The DragonForce group, known for targeting critical infrastructure, has added this sophisticated evasion technique to its arsenal. While the specific victims have not been disclosed, the campaign appears to be ongoing, with the attackers continuously refining their tools.
Organizations are advised to monitor for unusual outbound connections to Microsoft Teams servers, especially from non-standard processes, and to review Teams authentication logs for anomalous activity. Microsoft has not yet publicly commented on the abuse of its relay infrastructure.