Cybersecurity

DragonForce Hid Their Wolf Calls Inside Your Teams Meetings (Yes, Really)

NeglectedSheep

2 min read
Share
DragonForce Hid Their Wolf Calls Inside Your Teams Meetings (Yes, Really)

Oh good. Another Tuesday.

So apparently the DragonForce crew, which is a ransomware gang and not, tragically, a cool 80s band, decided that hiding their command-and-control traffic inside Microsoft Teams relay infrastructure was a great idea. And you know what? It worked. Because of course it did.

They deployed something called Backdoor.Turn, which is a parasite so sneaky it basically wore a visitor badge and helped itself to the coffee machine. It tunneled malicious traffic through Teams relays, meaning your electric fence looked at it, saw "Microsoft," and waved it right through like a golden ticket.

Let that sink in. The wolves dressed up as the collaboration tool your Shepherds mandated everyone use after 2020, and nobody blinked.

The flock never had a chance. Not because the attack was some unknowable hole in the fence, though the technique is genuinely clever and I hate that I have to respect it. But because when your C2 traffic looks identical to a passive-aggressive status update from Karen in Accounting, your detection tools just shrug and go back to grazing.

This is what we in the industry call a "living off trusted infrastructure" attack. I call it a Monday. Or a Tuesday. I genuinely cannot tell anymore.

The really fun part is that Teams relay infrastructure is designed to be trusted by default across most enterprise environments. So the fleas hitched a ride on the one animal nobody ever checks because it has a Microsoft logo on its collar.

I have a headache. I've had this headache since 2019.

Remediation

Look, I'm tired, but here's what you actually need to do:

Inspect your Teams traffic. "It's Microsoft" is not a security posture. Treat that relay traffic like you'd treat a lamb wandering in from outside the fence at 2am. Suspicious until proven otherwise.

Segment your network. If a parasite does get in through your trusted relay, it should not be able to reach your crown jewels from the breakroom. Lateral movement is how this gets catastrophic.

Deploy behavioral detection. Signature-based tools will miss this. You need something watching for traffic patterns that feel wrong, even when the source looks legitimate.

Audit your endpoint telemetry. Backdoor.Turn had to land somewhere first. Check your endpoints for anything that shouldn't be making outbound connections through Teams-adjacent processes.

For the love of all things woolly, patch your stuff. Shear regularly. Dip the flock. Apply the ointment. You know the drill.

The wolves are wearing Microsoft fleece now. Adjust accordingly.

Gonna go stare at a ceiling tile until my shift ends or the alerts stop, whichever comes last.

Original Report: https://www.bleepingcomputer.com/news/security/ransomware-gang-abuses-microsoft-teams-relays-to-hide-malicious-traffic/