Microsoft Teams Relay Servers Abused in DragonForce Ransomware Attack

The attackers deployed a new Go-based backdoor that uses Microsoft Teams servers for command-and-control. The post Microsoft Teams Relay Servers Abused in DragonForce Ransomware Attack appeared first on SecurityWeek .

According to reporting, DragonForce ransomware operators deployed a new Go-based backdoor (Backdoor.Turn) that abuses legitimate Microsoft Teams TURN relay servers to disguise command-and-control traffic, making it appear as normal collaboration traffic and evading traditional network defenses.[1][3][6] The campaign shows long-term, covert persistence within a major U.S. services firm, without any evidence that Microsoft’s core infrastructure was breached; instead, standard Teams relay functionality was repurposed for malicious use.[1][3][6] For CyberSE.AI, this highlights that AI-enabled SaaS collaboration platforms and their networking primitives (e.g., TURN/QUIC over UDP 443) can be leveraged as covert channels for agent C2, requiring agents and defenses to treat "trusted" SaaS traffic as potentially hostile and to instrument process-aware and protocol-aware monitoring around these dependencies. Organizations should harden AI and agent architectures that rely on SaaS platforms by baselining expected service use, applying continuous red teaming against SaaS-based C2 patterns, and including SaaS communication behaviors in AI security readiness and threat modeling.