[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fKVFXXzgab4n-kqltVQrPrrnMVhdl6pn8Z0jFfvt5qyg":3},{"lesson":4},{"id":5,"slug":6,"article_id":7,"title":8,"body":9,"prevention":10,"framework_refs":11,"status":23,"created_at":24,"published_at":25,"article":26,"tags":30,"podcasts":49},"670c4511-5d5b-4259-bf84-cca0e9a8aace","dragonforce-abuses-microsoft-teams-relays-to-mask-ransomware-c2-traffic","a20b0f61-9bbb-4216-a794-c9bfcd34ec76","DragonForce Abuses Microsoft Teams Relays to Mask Ransomware C2 Traffic","DragonForce ransomware actors exploited a likely unpatched SQL server vulnerability to gain initial access, then deployed a custom Go-based RAT (Backdoor.Turn) that tunneled command-and-control traffic through legitimate Microsoft Teams relay infrastructure. By blending malicious traffic with trusted collaboration platform communications, the attackers evaded detection for one to two months — a dangerously long dwell time. This highlights how attackers increasingly abuse trusted cloud services to bypass traditional perimeter defenses and signature-based detection. The combination of delayed detection and living-off-the-land-style C2 masquerading significantly amplifies the potential for data exfiltration and full ransomware deployment before defenders can respond.","**Immediate Actions:**\n- Audit and patch all internet-facing SQL servers and application endpoints against known CVEs immediately.\n- Review Microsoft Teams relay and network traffic logs for anomalous outbound connections or unusual relay usage patterns.\n\n**Detection Measures:**\n- Deploy behavioral-based NDR (Network Detection and Response) tools capable of identifying C2 patterns within encrypted or trusted-platform traffic.\n- Establish baselines for Microsoft Teams traffic volume and flag deviations that may indicate relay abuse for C2 tunneling.\n- Implement SIEM correlation rules that trigger alerts when internal hosts communicate with Teams relay endpoints outside of normal business hours or at unusual volumes.\n\n**Long-Term Improvements:**\n- Enforce strict egress filtering and network segmentation to limit which internal hosts can communicate with cloud collaboration relay infrastructure.\n- Adopt a Zero Trust architecture that continuously validates device and user identity before permitting access to internal resources or cloud services.\n- Conduct regular threat hunting exercises focused on living-off-the-land and trusted-service-abuse techniques to reduce mean time to detect (MTTD).",[12,13,14,15,16,17,18,19,20,21,22],"CIS Control 7: Continuous Vulnerability Management","CIS Control 12: Network Infrastructure Management","CIS Control 13: Network Monitoring and Defense","NIST SP 800-61 Rev. 2: Incident Response","NIST SI-4: System Monitoring","NIST AC-17: Remote Access","NIST CA-7: Continuous Monitoring","MITRE ATT&CK T1071.001: Application Layer Protocol – Web Protocols","MITRE ATT&CK T1219: Remote Access Software","MITRE ATT&CK T1090: Proxy","NIST SP 800-207: Zero Trust Architecture","published","2026-06-18T14:21:01.781611+00:00","2026-06-18T14:21:01.569+00:00",{"id":7,"url":27,"slug":28,"title":29},"https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fdragonforce-hackers-abuse-microsoft.html","dragonforce-hackers-abuse-microsoft-teams-relays-to-hide-backdoor-turn-c2-traffi-cd54cf","DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor.Turn C2 Traffic",[31,37,43],{"id":32,"name":33,"slug":34,"description":35,"color":36},"05757c8d-6b93-4194-b35d-7359e7d33b0e","Vulnerability Management","vulnerability-management","Missing scans, no risk prioritization","#fb923c",{"id":38,"name":39,"slug":40,"description":41,"color":42},"1732a005-556e-411c-a9db-5edec3058571","Logging & Monitoring","logging-monitoring","Missing logs, no alerting, blind spots","#a855f7",{"id":44,"name":45,"slug":46,"description":47,"color":48},"f43a7f30-5046-4b10-9dba-1a704139821e","Network Segmentation","network-segmentation","Lateral movement, flat networks, missing firewalls","#06b6d4",[]]