Security researchers have identified a sophisticated ransomware campaign carried out by the DragonForce group using a novel technique: abusing Microsoft Teams relay servers as command-and-control (C2) infrastructure. The attack deploys a new Go-based backdoor that routes its malicious traffic through legitimate Microsoft Teams relay endpoints, making detection significantly more difficult for network-based security controls.
The findings were published by SecurityWeek on June 17, 2026, and represent one of the clearest examples to date of ransomware operators adopting "living-off-the-land" techniques at the network infrastructure level.
DragonForce Background
DragonForce is a ransomware-as-a-service (RaaS) operation that has been active since late 2023. The group has attracted affiliates through aggressive recruitment on dark web forums and has been linked to attacks against organizations in manufacturing, retail, and critical infrastructure sectors. DragonForce gained notoriety in 2024 after targeting multiple UK organizations and has continued to evolve its tactics, techniques, and procedures (TTPs) throughout 2025 and 2026.
The group has demonstrated a willingness to rapidly adopt new techniques — including EDR bypass methods, BYOVD (Bring Your Own Vulnerable Driver) attacks, and now, network-layer C2 obfuscation via trusted cloud services.
The Go-Based Backdoor
The newly discovered backdoor is written in Go (Golang), a language increasingly popular among threat actors for its cross-platform compilation capabilities and relatively small binary footprint. Key characteristics of the malware include:
- Teams relay C2: The backdoor establishes its command-and-control channel by connecting to Microsoft Teams relay servers — legitimate Microsoft infrastructure used to route Teams audio, video, and data traffic
- Protocol blending: Malicious C2 traffic is designed to resemble legitimate Teams relay communications, evading network inspection tools that allowlist Microsoft endpoints
- Cross-platform capability: The Go binary can be compiled for Windows, Linux, and macOS targets
- Persistence mechanisms: The backdoor establishes persistence via Windows services or scheduled tasks depending on the target environment
How the Attack Works
The attack chain follows a multi-stage pattern:
1. Initial access via phishing, exposed RDP, or VPN vulnerability exploitation
2. Reconnaissance and lateral movement using living-off-the-land binaries (LOLBins)
3. Deployment of the Go-based backdoor on high-value targets (domain controllers, file servers)
4. Backdoor establishes C2 channel via Microsoft Teams relay infrastructure
5. DragonForce operators issue commands, exfiltrate data, and stage ransomware payload
6. Double-extortion: data exfiltrated before encryption for leverage in ransom demands
7. Ransomware deployed across the network; ransom note dropped on affected systems
Why Microsoft Teams Relay?
The choice of Microsoft Teams relay infrastructure for C2 is deliberate and tactically sophisticated:
Trusted by Default
Most enterprise security tools and network firewalls explicitly allowlist Microsoft domains and IP ranges, including Teams relay servers. Traffic to these endpoints is rarely inspected, let alone blocked.
Traffic Volume
Microsoft Teams generates enormous volumes of legitimate UDP and TCP traffic in enterprise environments. Malicious C2 beacons are effectively camouflaged within this traffic.
No Firewall Rules to Bypass
Since Teams traffic must be permitted for normal business operations, the attacker doesn't need to bypass any network-level controls — the path is already open.
Consistent with Living-Off-the-Land Trends
This technique follows the broader trend of threat actors abusing legitimate cloud and SaaS infrastructure for malicious purposes. Previous examples include:
- Ransomware gangs using Microsoft Teams external access to deliver vishing attacks (June 2026)
- Turla/Kazuar using peer-to-peer botnets built on compromised infrastructure
- Various APTs using OneDrive, GitHub, Discord, and Slack as C2 channels
Detection Challenges
The use of Microsoft Teams relay servers for C2 presents significant detection challenges:
| Challenge | Detail |
|---|---|
| TLS Encryption | Traffic to Teams relays is TLS-encrypted; payload inspection is not possible without MITM decryption |
| Domain Allowlisting | Security tools often allowlist *.teams.microsoft.com and related CDN ranges |
| Legitimate Traffic Baseline | High volume of legitimate Teams traffic makes anomaly detection difficult |
| No Malicious Domains | The backdoor does not communicate with attacker-controlled domains, bypassing domain reputation checks |
Detection Strategies
Despite these challenges, security teams have several options for detecting this technique:
Network Behavioral Analysis
- Establish a baseline of normal Teams relay traffic volume per endpoint
- Alert on endpoints that establish Teams relay connections outside of business hours
- Flag endpoints that generate Teams relay traffic while Teams client is not installed or running
- Monitor for unusual beacon patterns (regular, periodic connections at fixed intervals)Endpoint Detection
- Detect Go binary execution from non-standard locations (AppData, Temp, ProgramData)
- Alert on new services or scheduled tasks created by non-standard processes
- Hunt for processes making network connections to Teams relay IPs that are not the Teams client
- Monitor parent-child process relationships for suspicious process spawningThreat Hunting Queries
Look for processes communicating with Microsoft Teams relay infrastructure that are not the Microsoft Teams executable:
# Example: Find processes connecting to Teams relay IPs that aren't Teams.exe
Get-NetTCPConnection | Where-Object {
$_.RemoteAddress -match "52\.114\." -and
(Get-Process -Id $_.OwningProcess).Name -notmatch "Teams|msedge|chrome"
}Organizational Response
If your organization detects indicators consistent with this attack:
- Isolate affected systems immediately from the network
- Preserve forensic evidence — memory dumps, network capture, event logs — before remediation
- Identify the initial access vector to prevent re-entry
- Conduct a scope assessment — determine which systems the backdoor was deployed on and what data was accessed
- Engage incident response — this is a pre-ransomware indicator; rapid response can prevent encryption
- Notify relevant parties — legal, executive leadership, cyber insurance carrier, and potentially law enforcement
Hardening Against This Technique
- Restrict who can install software — prevent non-admin users from running arbitrary Go binaries
- Application allowlisting — permit only approved applications to run
- Monitor for unexpected Teams relay connections from server systems where Teams is not deployed
- Deploy an EDR solution capable of behavioral detection of C2 beaconing
- Implement network segmentation — servers should not initiate outbound connections to arbitrary cloud services without explicit need
This attack demonstrates that ransomware operators are investing in operational security at the network layer — not just at the payload level. Defenders must evolve detection strategies beyond signature-based approaches and toward behavioral analysis that can identify malicious activity even when it hides behind trusted services.