In early November 2025, threat actors affiliated with the self‑styled “DragonForce” group leveraged a previously undocumented feature of Microsoft Teams to cloak their command‑and‑control (C2) communications. By abusing Teams’ built‑in relay infrastructure, the attackers were able to mask malicious payloads as legitimate collaboration traffic, effectively rendering their Backdoor.Turn implant invisible to standard network monitoring tools. The campaign, discovered by a joint effort between Microsoft’s Threat Intelligence Center and several independent security vendors, illustrates a sophisticated shift toward “living‑off‑the‑land” (LOTL) tactics that leverage trusted SaaS platforms for stealthy persistence.

Understanding the Threat Landscape

Traditional perimeter defenses are increasingly ineffective against adversaries who can blend malicious activity with everyday user traffic. In the DragonForce case, the actors did not rely on phishing attachments or compromised VPN credentials; instead, they created a covert channel that rides atop the Microsoft Teams cloud service. This technique exploits the inherent trust organizations place in collaboration platforms, allowing malicious commands to travel under the guise of ordinary chat messages, file transfers, or video‑call signaling. The resulting Backdoor.Turn implant can maintain a persistent presence on compromised hosts while evading detection by conventional intrusion detection signatures.

How Teams Relays Operate

Microsoft Teams employs a federated network of edge nodes to route audio, video, and chat streams across geographically dispersed users. When a user initiates a session, Teams establishes multiple outbound connections to Microsoft’s global relay infrastructure, negotiates TLS‑encrypted tunnels, and then selects the optimal path based on latency and bandwidth. These connections are indistinguishable from legitimate user activity to most firewalls, which typically allow outbound HTTPS traffic without deep inspection.

The attackers reverse‑engineered this routing mechanism to create a covert tunnel that mirrors normal Teams behavior. By injecting crafted packets into an active chat session, they encode C2 commands inside the payload of legitimate messages. The relay module on the infected host extracts these commands, decodes them, and triggers the Backdoor.Turn payload to execute the requested actions. Because the traffic remains within the Microsoft network boundary, it bypasses many external security controls.

Technical Deep Dive: Relay Abuse Mechanics

Backdoor.Turn is a modular backdoor written in Go that communicates with its operators via encrypted HTTP requests. In the recent campaign, the payload was staged on compromised internal servers and instructed to listen for “heartbeat” signals embedded in Teams chat messages. The relay module performs the following steps:

  • Message Interception: Captures outbound chat packets before they are encrypted for transmission.
  • Payload Decoding: Extracts hidden commands concealed within specially crafted Unicode strings.
  • Command Execution: Maps decoded instructions to specific TEAN (Teams Execution Agent) functions.
  • Response Obfuscation: Packages status information back into innocuous‑looking chat responses.

This end‑to‑end flow ensures that all C2 traffic appears as ordinary Teams communication, making it extremely difficult for network‑based detection tools to flag suspicious activity without deep TLS inspection and behavioral analysis.

Why This Matters to Modern Enterprises

The incident raises several critical concerns for organizations that rely heavily on collaborative platforms:

  • Stealth Persistence: Malware can maintain a foothold on compromised endpoints without generating obvious network anomalies.
  • Evasion of Security Controls: Encrypted, legitimate‑looking traffic can bypass traditional IDS/IPS signatures and even advanced threat‑blocking solutions.
  • Supply‑Chain Exposure: Compromised service accounts can be leveraged to propagate the relay across multiple departments, amplifying impact.
  • Regulatory Implications: Data exfiltration hidden within Teams traffic may trigger compliance violations if not detected promptly.

Given the widespread adoption of Microsoft Teams for remote work, file sharing, and cross‑departmental coordination, the attack surface is vast. Organizations must recognize that any platform exposing programmable APIs and dynamic relay capabilities can become a vector for sophisticated threat actors.

Actionable Defense Strategies

To mitigate the risk of relay‑based abuse, security teams should adopt a comprehensive, layered approach that combines network hygiene, platform hardening, and proactive threat hunting:

  • Network Segmentation: Isolate Teams traffic from critical workloads using dedicated VLANs or zero‑trust micro‑segments.
  • Outbound TLS Decryption: Deploy a forward‑looking proxy that terminates TLS for Teams sessions, enabling deep packet inspection for anomalous payloads.
  • Behavioral Analytics: Implement UEBA solutions to detect deviations in chat frequency, message size, or timing patterns that may indicate hidden C2 traffic.
  • EDR Hardening: Ensure endpoint detection and response agents monitor for process injection, unusual inter‑process communication, and suspicious outbound connections to Microsoft endpoints.
  • Least‑Privilege Enforcement: Restrict service account permissions for Teams integrations to the minimum scope required.
  • Threat‑Hunting Drills: Conduct regular red‑team exercises that specifically target relay abuse scenarios and validate detection capabilities.

Step‑by‑Step Immediate Checklist

Below is a concise, actionable checklist that security administrators can implement within the next 48 hours to reduce exposure to the DragonForce relay abuse technique:

  1. Audit all custom Teams bots, connectors, and third‑party applications; disable or remove any that are not essential.
  2. Enforce Azure AD Conditional Access policies that restrict external relay usage to known, trusted IP ranges.
  3. Deploy a TLS decryption gateway for outbound Teams traffic and configure signature‑based detection for known relay payloads.
  4. Apply network egress filters that block unused ports to Microsoft Teams endpoints, limiting the attack surface.
  5. Update EDR signatures and threat‑intel feeds to include new indicators of compromise (IOCs) associated with Backdoor.Turn.
  6. Perform a forensic review of recent Teams chat logs for hidden messages containing encoded commands or anomalous Unicode sequences.
  7. Report findings to the incident response team and initiate immediate containment actions for any compromised accounts.

Conclusion

The DragonForce exploitation of Microsoft Teams relays exemplifies a broader trend in which cyber adversaries leverage trusted collaboration platforms to conceal malicious activity. This shift underscores the necessity for organizations to move beyond perimeter‑centric defenses and adopt a proactive, multilayered security posture that integrates network segmentation, deep TLS inspection, and continuous behavioral monitoring.

Investing in professional IT management and advanced security services not only mitigates the immediate threat but also builds long‑term resilience against future relay‑based attacks. By partnering with experienced security providers, businesses can ensure that their collaboration tools remain productivity engines rather than hidden conduits for cyber‑threats, thereby preserving both operational efficiency and stakeholder confidence.

Need Expert IT Advice?

Talk to TH247 today about how we can help your small business with professional IT solutions, custom support, and managed infrastructure.