DragonForce Ransomware Tunnels C2 Through Teams Infrastructure
The DragonForce ransomware group has developed a novel evasion technique: tunneling its command-and-control (C2) communications through Microsoft Teams relay infrastructure using a custom malware implant named Backdoor.Turn. By disguising malicious traffic as legitimate Teams traffic, the group can operate inside enterprise networks while bypassing firewall rules and deep packet inspection tools that would otherwise flag suspicious outbound connections.
Backdoor.Turn — The Evasion Implant
Backdoor.Turn is a custom-written backdoor designed specifically to abuse Microsoft Teams' relay architecture. Key characteristics:
| Attribute | Detail |
|---|---|
| Malware name | Backdoor.Turn |
| Threat actor | DragonForce ransomware group |
| Technique | C2 tunneling via Teams relay WebSockets |
| Targets | Enterprise networks running Microsoft 365 / Teams |
| Goal | Persistent access while evading network-based detection |
How the Evasion Works
Microsoft Teams uses a relay infrastructure to route calls, chats, and media through Microsoft-operated servers when direct peer-to-peer connections are not possible. Backdoor.Turn abuses this mechanism:
- Initial compromise — The implant is deployed on an already-compromised host via DragonForce's standard intrusion chain
- Protocol mimicry — Backdoor.Turn crafts traffic that conforms to Teams' WebSocket-based relay protocol
- C2 tunneling — Attacker commands and victim data are encoded and transmitted inside what appears to be Teams relay traffic
- Firewall bypass — Corporate firewalls typically allowlist Teams relay endpoints (e.g.,
*.teams.microsoft.com), so the malicious traffic passes through uninspected
Why This Matters
Most enterprise network defenses are configured to trust Microsoft 365 infrastructure by default. Security policies routinely allow broad traffic to Teams relay servers because blocking them would disable a critical business communication tool. DragonForce exploits this trusted status to maintain persistent access without triggering alerts.
Detection Challenges
- No suspicious destination IPs — Traffic terminates at legitimate Microsoft servers
- Encrypted payload — HTTPS/WSS encryption conceals the actual C2 commands
- Normal traffic patterns — Teams usage is expected on corporate networks, masking volume anomalies
DragonForce Background
DragonForce is an active ransomware-as-a-service (RaaS) operation known for:
- Double extortion (encrypting files and threatening to leak stolen data)
- Targeting manufacturing, retail, and critical infrastructure sectors
- Developing sophisticated custom tooling to extend dwell time
The introduction of Backdoor.Turn demonstrates continued investment in detection evasion, allowing DragonForce affiliates to maintain access for extended periods before deploying the ransomware payload.
Defensive Recommendations
- Monitor Teams relay traffic anomalies — Unusual volumes from non-Teams processes connecting to Teams relay endpoints should trigger investigation
- Endpoint detection — Deploy EDR solutions capable of inspecting process behavior, not just network destinations; look for non-Teams binaries establishing connections to Teams relay servers
- Zero Trust network segmentation — Limit which hosts can initiate outbound connections to Teams infrastructure
- Behavioral baselines — Establish normal Teams traffic baselines per host and alert on deviations
- Hunt for Backdoor.Turn IOCs — Work with your threat intelligence provider for current indicators of compromise
Indicators of Compromise
Contact your threat intelligence provider or search current threat feeds for Backdoor.Turn indicators. IOCs include:
- Non-
teams.exe/ non-msedgewebview2.exeprocesses making WebSocket connections to*.relay.teams.microsoft.com - Unusual persistence mechanisms (registry run keys, scheduled tasks) associated with new, unsigned binaries
- Large volumes of outbound encrypted traffic from workstations at unusual hours