DragonForce ransomware is leveraging Microsoft Teams relay infrastructure to obscure command-and-control (C2) traffic, making detection significantly more complex for network security teams. Broadcom-owned Symantec and Carbon Black detailed in June 2026 how this approach, which uses a custom Go-based Remote Access Trojan (RAT) called Backdoor.Turn, makes C2 communications appear as legitimate outbound connections to Microsoft Teams servers. This bypasses traditional IP/domain reputation and signature-based filtering solutions. This shift towards abusing trusted communication channels requires a re-evaluation of network monitoring strategies, as attackers maintained access for one to two months in a recent U.S. services firm breach.
What Happened
The DragonForce ransomware group deployed an attack starting in December 2025 against a major U.S. services firm, maintaining access for one to two months, Symantec reports. Initial compromise likely stemmed from an undisclosed exploit against an SQL or MSSQL server; no specific CVE ID has been identified for this initial access vector as of publication. Following initial access, attackers used PowerShell to fetch a stage-1 archive, masquerading as a technical support hotfix like 'TechSupV18Fix3.zip'. Persistence and privilege escalation were then established by side-loading a malicious DLL, vboxrt.dll, into a legitimate VirtualBox or DbgView executable.
Defense evasion further involved a Bring Your Own Vulnerable Driver (BYOVD) technique, exploiting known flaws in signed drivers, specifically Huawei's HWAuidoOs2Ec.sys, as reported by Symantec. This provided kernel-level access, allowing the deployment of a custom malicious driver disguised as a Palo Alto driver to terminate security processes. The central innovation, however, is Backdoor.Turn, which obtains an anonymous Microsoft Teams visitor token and uses a legitimate Microsoft Traversal Using Relays around NAT (TURN) relay. This establishes a covert QUIC session to the attacker's C2 server, blending with normal Teams traffic.
Why It Matters
This C2 obfuscation is a problem because it turns an enterprise's legitimate Microsoft Teams traffic into a cover for ransomware operations. Traditional network security controls, designed to flag suspicious IPs, domains, or protocols, cannot see the C2 data moving through trusted Microsoft infrastructure. Symantec's research highlights this as a significant tactical shift by ransomware groups. Organizations often whitelist Microsoft domains, inadvertently creating a blind spot for this type of activity.
DragonForce is a prolific threat, claiming 101 victims in Q1 2026, a 29% increase from Q4 2025, and 41 victims in May 2026, according to BleepingComputer. Since its emergence in December 2023, the group claims to have targeted up to 363 companies by January 2026, as noted by The Hacker News. Their double extortion tactics combine data encryption with threats to expose stolen data on their 'DragonLeaks' dark web site. This directly impacts operational continuity, brand reputation, and regulatory compliance, particularly when the group claims to exfiltrate sensitive data like customer information, PII, and healthcare records. No specific data types for the U.S. services firm incident have been confirmed by the affected organization.
Affected Scope & Remediation
The primary affected scope isn't a specific software version, but any organization using Microsoft Teams where network monitoring relies solely on IP/domain reputation or basic protocol filtering. This attack uses legitimate cloud infrastructure, making it exceptionally difficult to detect at the perimeter. Microsoft has not issued a specific advisory regarding this abuse, so traditional patches are not applicable here.
To remediate, enhance endpoint detection and response (EDR) and Extended Detection and Response (XDR) capabilities. Tools like CrowdStrike Falcon or SentinelOne detect the underlying behaviors of Backdoor.Turn, such as DLL side-loading, BYOVD exploits, process termination, and unusual network connections from within endpoints, even if the traffic itself is camouflaged. Given the use of an initial SQL/MSSQL exploit, ensure all public-facing database servers are fully patched against known vulnerabilities and isolated with strict firewall rules.
Implement granular network segmentation and enforce Zero Trust principles. Scrutinize all outbound traffic, even to trusted cloud providers, for anomalous patterns. While direct CISA KEV listings for 'DragonForce Microsoft Teams' are not available for 2026, the BYOVD technique involving HWAuidoOs2Ec.sys uses known driver flaws. Ensure driver integrity monitoring and prevent unsigned driver loading. For detection, look for anomalies in Teams client behavior or network activity that deviates from normal patterns, such as QUIC connections to non-Microsoft IPs after passing through Microsoft TURN relays. Regularly audit system configurations for changes like removed 'Limit Blank Password' settings or newly created user accounts, which indicate post-exploitation activity.
Technical Breakdown
The core of this attack hinges on Backdoor.Turn's ability to masquerade C2 traffic. Backdoor.Turn first obtains an anonymous visitor token for Microsoft Teams. This token lets it initiate a connection through a Microsoft Traversal Using Relays around NAT (TURN) relay. TURN is a standard protocol for establishing direct connections between peers behind firewalls, often used by VoIP and real-time communication apps like Teams.
Once the connection is established via the TURN relay, Backdoor.Turn initiates a QUIC (Quick UDP Internet Connections) session. QUIC is Google-developed, encrypted, and highly efficient, often used by web browsers and increasingly by cloud services, including Microsoft. By wrapping its C2 traffic within this QUIC session, relayed through legitimate Microsoft infrastructure, the traffic appears as benign Teams activity, bypassing most network-level inspection that isn't performing deep packet analysis on encrypted streams.
This attack chain can be mapped to several MITRE ATT&CK techniques:
- Initial Access: T1190 Exploit Public-Facing Application (SQL/MSSQL zero-day)
- Execution: T1059.001 PowerShell (stage-1 archive fetching)
- Persistence: T1053 Scheduled Task/Job (via DLL side-loading into legitimate executables)
- Privilege Escalation: T1068 Exploitation for Privilege Escalation (BYOVD with HWAuidoOs2Ec.sys and custom driver)
- Defense Evasion: T1036 Masquerading (Teams C2 traffic, custom driver disguise), T1562.001 Disable or Modify Tools (terminating security processes)
- Command and Control: T1071 Application Layer Protocol (Teams/QUIC for C2)
- Credential Access: T1003 OS Credential Dumping (exfiltrating browser credentials)
- Lateral Movement: T1078 Valid Accounts (with stolen credentials)
- Impact: T1486 Data Encrypted for Impact (ransomware deployment)
From a NIST SP 800-53 perspective, this highlights failures in several key controls:
- SC-7 Boundary Protection (bypassed by trusted Teams relays)
- SI-4 System Monitoring (failure to detect disguised C2)
- CM-6 Configuration Settings (changes like removing 'Limit Blank Password' indicate compromise)
- AC-2 Account Management (new user account creation)
Historical Context
This abuse of legitimate infrastructure isn't new, but the specific targeting of Microsoft Teams relays via QUIC shows evolution. A similar pattern was observed with the Sunburst backdoor used in the SolarWinds supply chain attack around December 2020. Sunburst employed legitimate Microsoft 365 APIs for C2 communications, blending its traffic with normal network activity to avoid detection. While Sunburst used HTTPS to communicate with attacker-controlled domains, mimicking legitimate API calls, DragonForce takes it a step further by using the relay infrastructure itself as a proxy for the QUIC C2, making it even harder to distinguish from actual Microsoft Teams client-to-client communication routed via TURN. Both incidents underline the growing challenge of detecting malicious activity when attackers abuse trusted cloud services, requiring a shift from perimeter-focused defense to deep endpoint and behavioral analysis.
Data at a Glance
| Metric | Value | Source |
|---|---|---|
| DragonForce Victims (Q1 2026) | 101 | Symantec |
| DragonForce Victims (May 2026) | 41 | BleepingComputer |
| Victim Increase (Q4 2025 to Q1 2026) | 29% | Symantec |
| Total Companies Targeted (by Jan 2026) | 363 | The Hacker News |
| Access Duration (US firm incident) | 1-2 months | Symantec |
| Initial Access Exploit | Undisclosed SQL/MSSQL zero-day | Symantec |
| CISA KEV Listing | No direct hits | CISA KEV |
Our Take
We're seeing an increasing trend where threat actors pivot from exploiting network vulnerabilities to abusing legitimate cloud services for C2. This DragonForce technique is particularly nasty because it weaponizes a fundamental communication mechanism of Microsoft Teams. Traditional firewalls and intrusion detection systems are largely blind to this, pushing detection responsibility squarely onto EDR/XDR platforms and vigilant behavioral analysis at the endpoint. We think organizations need to assume that even whitelisted traffic could be compromised and shift towards a "trust nothing, verify everything" mindset, especially for outbound connections.
The CVEDaily Take
This attack bypasses conventional network security by making C2 look like a standard SaaS connection, highlighting a critical blind spot for many enterprises. It's not about patching Teams; it's about re-evaluating your entire network monitoring stack against an adversary that understands how to weaponize trust. What specific network anomaly detection rules has your team implemented to identify encrypted traffic that shouldn't be there, even if it uses a trusted service's infrastructure?
FAQ
Q: Does this mean Microsoft Teams itself is vulnerable?
A: No, the reports by Symantec and Carbon Black indicate DragonForce is abusing Teams' legitimate relay infrastructure, not exploiting a vulnerability in the Teams client or service itself. They're using Microsoft's design against you, much like a legitimate postal service is used for illicit mail.
Q: Can traditional network firewalls or IDS/IPS detect this C2 traffic?
A: It's exceptionally difficult. Since the traffic appears as legitimate, encrypted QUIC sessions routed through Microsoft's TURN relays, traditional network-based detection methods that rely on IP/domain reputation or basic protocol filtering will likely miss it. Deep packet inspection capable of analyzing encrypted QUIC streams and correlating it with endpoint behavior is required, which is beyond what most firewalls or IDS/IPS can do in this context.
Q: What's the most effective defense against this type of attack?
A: The most effective defense involves strong EDR/XDR solutions like CrowdStrike Falcon or SentinelOne at the endpoint combined with strong behavioral analytics. These tools can detect the underlying malicious activities of Backdoor.Turn – such as DLL side-loading, BYOVD techniques, process injection, credential theft, and unusual process network connections – even if the C2 traffic itself is camouflaged. Implementing Zero Trust principles and granular network segmentation also helps limit lateral movement post-compromise.
