Threat actors are using a custom backdoor to route their command-and-control (C2) traffic through Microsoft Teams’ TURN relay infrastructure. This technique blends malicious traffic with legitimate Teams communications. As a result, attackers can bypass traditional network defenses, maintain covert access to victim systems, and ultimately deploy ransomware with a reduced chance of detection. Read this Cybersecurity Threat Advisory to mitigate risk for you and your clients.
What is the threat?
The threat involves the DragonForce ransomware gang using a custom backdoor, dubbed Backdoor. Turn is used to secretly route its command-and-control (C2) traffic through Microsoft Teams’ TURN relay infrastructure. Attackers tunnel malicious traffic through the same protocols and relays that Teams uses when direct connections are not possible. This allows their C2 communications to appear as normal collaboration traffic. The evasion technique helps them bypass traditional network monitoring and security controls. It also enables them to maintain stealthy access within victim environments and more effectively deploy and operate ransomware.
Why is it noteworthy?
This attack is noteworthy because it demonstrates a real-world “living-off-the-cloud” tactic. Ransomware operators hide command-and-control traffic within trusted Microsoft Teams infrastructure. By abusing Teams’ TURN relays and legitimate identity services, Backdoor. Turn makes malicious traffic appear indistinguishable from normal collaboration activity. This significantly undermines traditional network monitoring and allow lists that trust Microsoft domains.
It also represents the first documented case of attackers operationalizing a technique previously seen only in research (Praetorian’s Ghost Calls). This shift signals that advanced proof-of-concept cloud abuse methods are now being adopted by criminal groups. It also suggests these techniques will likely spread to other collaboration and SaaS platforms.
What is the exposure or risk?
The primary risk is that attackers can hide command-and-control and data exfiltration traffic within what appears to be normal Microsoft Teams activity. This makes it very difficult for defenders to detect or block the threat. Many organizations broadly trust Microsoft cloud traffic. Because of this, the technique can bypass firewalls, proxy controls, and domain allowlists that would normally prevent suspicious connections.
Once inside, attackers can move laterally, steal data, and deploy ransomware. Their network communications continue to appear legitimate throughout the attack. This increases both the likelihood of a successful compromise and the potential impact. Intrusions may persist undetected for longer periods and become more difficult to investigate or contain.
What are the recommendations?
Barracuda strongly recommends taking the following actions to reduce exposure and secure environments:
- Strengthen endpoint detection and response (EDR) to flag unusual use of Microsoft Teams, Skype, or TURN-related processes and libraries.
- Monitor and baseline outbound Microsoft 365 / Teams traffic (including QUIC over UDP) to detect anomalies in volume, timing, and destinations.
- Enable detailed logging for Microsoft 365, Azure AD, and Teams (including sign-ins, tokens, and guest/anonymous sessions). Forward logs to a SIEM for correlation.
- Implement strict egress controls and proxy inspection. Ensure only sanctioned Microsoft 365 endpoints are reachable, and block direct outbound QUIC where not needed.
- Review and harden Teams and Microsoft 365 configurations (conditional access, guest/anonymous access policies, device compliance). This reduces abuse of anonymous visitor tokens.
- Use cloud security tools (CASB/CSPM) to detect suspicious or non-typical patterns of collaboration traffic and access to Teams resources.
- Apply threat intelligence and IoCs related to Backdoor.Turn / DragonForce (when available) across IDS/IPS, EDR, and SIEM detections.
- Enforce least privilege and network segmentation to limit lateral movement and reduce the blast radius if a backdoor is deployed.
- Maintain robust backup and recovery processes. Ensure ransomware response procedures are tested regularly to minimize impact if an attack succeeds.
References
For more in-depth information about the recommendations, please visit the following links:
- https://www.bleepingcomputer.com/news/security/ransomware-gang-abuses-microsoft-teams-relays-to-hide-malicious-traffic/
- https://sqmagazine.co.uk/hackers-abuse-microsoft-teams-conceal-ransomware-activity/
- https://cybersecuritynews.com/microsoft-teams-relay-abused/
- https://gbhackers.com/microsoft-teams-relay-abused-by-hackers/amp/
If you have any questions about this Cybersecurity Threat Advisory, don’t hesitate to get in touch with Barracuda Managed XDR’s Security Operations Center.
