DragonForce Ransomware Exploits Microsoft Teams Infrastructure for Covert Attacks
Cybersecurity researchers have uncovered a sophisticated new campaign by the DragonForce ransomware group that weaponizes a trusted piece of enterprise software most organizations use every single day. In this alarming development, threat actors deployed a novel Go-based backdoor that leverages Microsoft Teams relay servers as command-and-control (C2) infrastructure, allowing attackers to blend malicious traffic into legitimate business communications and evade conventional detection tools.
The attack underscores a growing trend in which ransomware operators move away from obvious, flagged infrastructure and instead hide their operations within platforms that security teams tend to implicitly trust. For security professionals and IT administrators alike, this campaign represents a critical turning point in how enterprise collaboration tools must be evaluated from a threat perspective.
What Is DragonForce and Why Should You Care?
DragonForce is a ransomware-as-a-service (RaaS) group that has been active across multiple industries, targeting organizations in sectors ranging from manufacturing and retail to critical infrastructure. The group is known for operating a double-extortion model, meaning they both encrypt victim data and threaten to publish it on a dedicated leak site if ransom demands go unmet.
What makes DragonForce particularly dangerous is not just the destructive payload it delivers, but its willingness to innovate and adapt its tactics, techniques, and procedures (TTPs) to stay ahead of defenders. The use of Microsoft Teams relay servers for C2 communication is a prime example of this adaptability, revealing a threat actor that is both technically capable and strategically patient.
How the Attack Works: The Go-Based Backdoor Explained
At the heart of this campaign is a newly identified backdoor written in the Go programming language. Go, also known as Golang, has become increasingly popular among cybercriminals because of its ability to compile cross-platform binaries, its relatively small footprint, and the fact that many security tools have historically had less mature detection coverage for Go-based malware compared to those written in C++ or .NET.
Once deployed on a compromised system, this backdoor communicates with attacker-controlled infrastructure by routing traffic through Microsoft Teams relay servers. Microsoft Teams, like many enterprise communication platforms, uses relay servers to facilitate audio, video, and data transmission between clients, particularly when direct peer-to-peer connections are not possible due to network address translation (NAT) or firewall configurations.
By piggybacking on these relay servers, the malware's C2 traffic is made to look like ordinary Teams network activity. This is significant because:
- Most enterprise firewalls and security proxies whitelist Microsoft Teams traffic by default, meaning the malicious communications may pass through unimpeded.
- Security information and event management (SIEM) systems may not flag Teams relay traffic as suspicious, creating a substantial blind spot for defenders.
- The use of a legitimate platform provides a layer of plausible deniability and obfuscation that makes forensic investigation significantly more difficult.
Why Abusing Trusted Platforms Is the New Normal for Threat Actors
The DragonForce campaign is not an isolated case. The abuse of legitimate services for malicious purposes, often referred to as "living-off-trusted-sites" or LOTS attacks, has been on the rise for several years. Threat actors have previously abused platforms such as Slack, Discord, Telegram, Google Drive, OneDrive, and GitHub to host payloads, exfiltrate data, or maintain C2 channels.
The underlying logic is straightforward from an attacker's perspective: why build and maintain infrastructure that can be quickly identified and blocked when you can blend in with the trusted, high-volume traffic of platforms used by millions of businesses worldwide? Microsoft Teams, with its deep enterprise penetration and the implicit trust organizations place in it, makes for an especially attractive vehicle.
This shift demands a re-evaluation of security policies that extend blanket trust to any service simply because it carries a well-known brand name. Legitimate platforms can and will be weaponized, and security teams must build detection capabilities that account for this reality.
Indicators of Compromise and Detection Guidance
While full technical indicators of compromise (IOCs) associated with this specific campaign should be sourced from threat intelligence platforms and updated vendor advisories, organizations can take several proactive steps to improve their detection posture against this type of attack.
- Monitor for anomalous Teams traffic patterns: Unusual spikes in Teams relay traffic, particularly from endpoints that do not normally participate in video or voice calls, can be an early warning sign.
- Deploy endpoint detection and response (EDR) solutions: Modern EDR tools with behavioral analysis capabilities can detect unusual process behavior associated with Go-based binaries even when network-layer defenses are bypassed.
- Audit privileged access and lateral movement: Ransomware groups typically require elevated privileges to deploy backdoors broadly. Monitoring for unusual privilege escalation or lateral movement activity is essential.
- Implement network segmentation: Limiting the blast radius of a compromise through rigorous segmentation reduces the ability of attackers to move freely once inside the network.
- Review Teams API and integration permissions: Ensure that third-party apps and integrations connected to your Teams environment have only the permissions they genuinely require.
What Organizations Must Do Right Now
The DragonForce ransomware campaign serves as a stark reminder that no tool, no matter how trusted or widely adopted, is inherently safe from abuse. Security teams must operate under the assumption that any platform capable of transmitting data can be exploited as a covert channel by a determined adversary.
Organizations should work closely with their security vendors to ensure that detection rules and threat intelligence feeds are updated to reflect this emerging attack pattern. Patch management programs must remain rigorous, and employee awareness training should be updated to reflect phishing and social engineering vectors that may be used to gain the initial foothold that precedes backdoor deployment.
Ultimately, the lesson from this campaign is one of constant vigilance. Ransomware groups like DragonForce are not standing still, and defenders cannot afford to either. Investing in layered security, zero-trust architecture, and continuous monitoring is no longer optional — it is the baseline requirement for surviving the modern threat landscape.
Final Thoughts
The discovery that DragonForce has been abusing Microsoft Teams relay servers to power a Go-based backdoor marks a significant evolution in ransomware tradecraft. By exploiting the implicit trust organizations place in a mainstream enterprise communication platform, attackers have found a new way to operate in plain sight. Staying ahead of this threat requires not just updated tools, but a fundamentally more skeptical approach to how trusted platforms are monitored and governed within the enterprise environment.