AbejaIT AbejaIT

DragonForce Hides Backdoor.Turn C2 in Microsoft Teams Relay Traffic

15.07.2026

The DragonForce ransomware group developed a custom Go remote access trojan (RAT) that hides C2 traffic inside Microsoft Teams infrastructure—widely used in corporate environments. An attack targeting a large US services company shows hackers increasingly abuse trusted business platforms to evade security systems. A clear signal for IT departments: network traffic monitoring must include applications considered safe.

The DragonForce ransomware group developed custom remote access trojan Backdoor.Turn in Go, hiding command-and-control traffic inside Microsoft Teams infrastructure—widely used in corporate environments and whitelisted in firewalls. An attack targeting a large US services company shows hackers increasingly abuse trusted business platforms to evade security systems based on unknown domain blocking.

Living-off-the-Trusted-Cloud

The technique tunnels C2 through legitimate Microsoft 365/Teams endpoints—traffic looks like standard collaboration app communication, passes corporate proxy, and often bypasses SSL inspection without alert. Go-based Backdoor.Turn is lightweight, hard to signature-detect, and designed for long-term persistence after initial access—typically via phishing, compromised credentials, or VPN exploits.

DragonForce is a ransomware group known for double extortion and aggressive negotiation. Combining RAT with Teams infrastructure suggests full kill chain: reconnaissance and persistence via Backdoor.Turn, lateral movement, exfiltration, then ransomware deployment—all using channels considered safe.

Network Monitoring Implications

  • Zero Trust on M365 traffic – behavioral analysis, not just Microsoft domain allowlist.
  • NDR and CASB – anomaly detection in Teams volume and patterns vs user baseline.
  • Endpoint correlation – Go process spawn from Teams or unusual child processes.
  • Segmentation – limit workstation egress to required services only.

Recommendations for B2B IT Departments

Organizations should extend SOC playbooks with SaaS-hidden C2 scenarios: mass Teams upload/download outside pattern, Teams logins from compromised endpoints after phishing, Microsoft relay connections from processes other than Teams.exe. EDR integrated with M365 Defender correlates endpoint and cloud signals.

Partners offering IT infrastructure with SOC/MDR layers deploy living-off-the-cloud detection rules and tabletop exercises simulating DragonForce-style attacks before ransomware.

Microsoft Graph API Monitoring

Defender for Cloud Apps can detect Graph API application anomalies—unusual scope, volume, and geolocation. Custom Sentinel detection rules alert on Teams traffic from non-Microsoft binary processes (e.g., Go executable).

After DragonForce incident, full M365 refresh token rotation and forced re-login for all users may be necessary if compromised account token had broad scope.

Regulatory Context and Reporting

Incidents discussed in this article may require assessment under GDPR, NIS2, and sector regulations. Organizations should maintain an up-to-date processing register, breach risk assessment procedure, and 24/7 IR team contacts. Incident timeline documentation—from detection to remediation—is critical for post-audit and cyber insurance discussions.

We recommend annual tabletop exercises with leadership, IT, legal, and PR participation covering data leaks, ransomware, and SaaS supply chain compromise.

Long-Term Cyber Resilience Strategy

Single post-incident remediation does not build organizational resilience. Investment in defense-in-depth, continuous user training, threat intelligence, and partnership with specialized IT services for businesses shortens mean time to detect and mean time to respond.

Practical Steps for the Next 30 Days

Within the first week: inventory affected systems, rotate credentials, and deploy available patches. Second week: detection tests, IR playbook updates, and key user training. Third and fourth weeks: compensating control audit, leadership report, and long-term architecture remediation plan. Each step should have an owner, deadline, and measurable outcome.

Teams without internal security resources can engage external partners to accelerate remediation—typical engagements last 2–6 weeks covering assessment, hardening, and runbook handoff to the client IT team. AbejaIT supports B2B organizations at every stage—from rapid exposure assessment to durable security control implementation.

Partnership With a Technology Provider

Many B2B organizations lack sufficient internal resources to independently maintain a full security program—from threat intelligence to 24/7 SOC. Cooperation with an experienced IT services provider shortens control deployment time, avoids common configuration mistakes, and maintains knowledge continuity even with internal staff rotation. The cooperation model should clearly define SLA, responsibility scope, and incident escalation procedures.

AbejaIT supports companies in security audits, infrastructure hardening, AI solution deployments with governance, and long-term production environment maintenance. Every engagement starts with maturity assessment and quick wins prioritization—actions delivering the greatest risk reduction in the shortest time.

Security Program Success Metrics

An effective cybersecurity program measures MTTD (mean time to detect), MTTR (mean time to respond), critical audit findings count, immutable backup coverage, and phishing simulation results. Quarterly leadership dashboards should show trends—not just absolute values. Goals should be realistic: e.g., 20% MTTR reduction year-over-year, 100% MFA coverage on admin accounts, zero critical CVEs on exposed services 72h after publication.

Conclusion

Backdoor.Turn and Teams abuse remind that SaaS allowlists do not replace behavioral detection. B2B companies must monitor trusted application traffic with the same rigor as unknown domains. We invite consultation on IT services for businesses and advanced monitoring.

Source: The Hacker News