DragonForce Ransomware Evaded Detection for Two Months by Routing C2 Traffic Through Microsoft Teams
Operators behind the DragonForce ransomware remained undetected inside a major U.S. services firm for two months by routing their command-and-control (C2) traffic through Microsoft's own Teams relay servers, according to a report by Security Affairs. The incident underscores a deeply concerning tactic: abusing trusted enterprise collaboration platforms to mask malicious activity in plain sight.
Living Off Trusted Services
The technique — sometimes called "Living off Trusted Services" (LoTS) — marks a significant evolution in ransomware tradecraft. Rather than communicating with attacker-controlled infrastructure that network monitoring tools might flag, DragonForce embedded its C2 channels within Microsoft Teams traffic. Because Teams is a sanctioned, encrypted, and high-volume enterprise tool, the malicious communications blended seamlessly into normal network activity. Traditional allow-listing and perimeter defenses, which typically trust traffic flowing to and from Microsoft 365 endpoints, failed to raise any alarms.
According to the report, the attackers deployed a custom backdoor identified as Backdoor.Turn that leveraged Teams relay servers as an intermediary. The backdoor is also believed to have employed a Bring Your Own Vulnerable Driver (BYOVD) technique to gain deeper system access at the endpoint level. The result was stark: defenders saw what appeared to be legitimate Microsoft cloud traffic for weeks while the ransomware group quietly maintained persistence and prepared for its eventual payload delivery.
Why Traditional Defenses Fell Short
The incident exposes a critical blind spot in many organizations' security postures. The conventional model of blocking known-bad domains and IPs, combined with allow-listing trusted services, is no longer sufficient when adversaries deliberately piggyback on those very services. Microsoft Teams, used by hundreds of millions of workers worldwide, generates enormous volumes of encrypted traffic that few organizations inspect in depth.
For enterprises that rely heavily on Microsoft 365 — a category that spans businesses of every size across the Asia-Pacific region — the implications are clear: trusting the platform does not mean trusting everything that passes through it. Security teams lacking visibility into behavioral patterns within their collaboration tool traffic are effectively operating blindfolded.
Practical Steps for Enterprise IT Teams
The DragonForce incident serves as a concrete prompt to revisit how collaboration tools are monitored and governed. Security teams should consider the following actions:
- Implement behavioral analytics on collaboration platform traffic. Volume anomalies, unusual connection patterns, and atypical session durations within Teams or similar tools should trigger investigation — even when the destination IP belongs to Microsoft.
- Enforce zero-trust verification for all connections. No traffic, regardless of its origin or apparent legitimacy, should be implicitly trusted. Every session should be authenticated and validated.
- Deploy and tune endpoint detection and response (EDR). The use of Backdoor.Turn and BYOVD techniques suggests the initial compromise involved endpoint-level exploitation. Robust EDR with custom detection rules for suspicious driver loading and process chains can catch what network monitoring misses.
- Review Microsoft Teams relay and external access policies. Restrict external tenant communication where unnecessary and monitor for unusual use of Teams relay functionality.
- Conduct threat-hunting exercises focused on trusted-service abuse. Proactively search for indicators of C2 activity hiding inside sanctioned cloud platforms, not just on external-facing attack surfaces.
- Review segmentation between collaboration tools and critical infrastructure. Even if an attacker compromises a Teams-based channel, proper network segmentation can limit lateral movement.
A Broader Warning
The DragonForce case is unlikely to be an isolated incident. As endpoint and perimeter defenses improve, sophisticated threat actors are increasingly turning to the tools organizations trust most. Collaboration platforms, cloud storage services, and other sanctioned enterprise applications offer attackers a convenient hiding place — encrypted, high-volume, and routinely excluded from deep inspection.
For IT security professionals, the lesson is clear: the perimeter has not merely shifted to the cloud — it has dissolved into the very applications employees use every day. Defending against this class of threat requires a fundamental rethink of what "trusted" means in a modern security architecture.
DragonForce 勒索軟件透過 Microsoft Teams 路由 C2 流量,成功規避偵測長達兩個月
根據 Security Affairs 的報導,DragonForce 勒索軟件背後的操縱者,透過微軟自家的 Teams 中繼伺服器路由其指令與控制 (C2) 流量,在一家主要美國服務公司內部潛伏長達兩個月而未被發現。此事件凸顯了一種極為令人擔憂的戰術:濫用受信任的企業協作平台,在光天化日之下掩蓋惡意活動。
寄生於受信任服務
此技術——有時稱為「寄生於受信任服務」(Living off Trusted Services, LoTS)——標誌著勒索軟件作戰手法的重大演進。DragonForce 並非與可能被網絡監控工具標記的攻擊者控制基礎設施通訊,而是將其 C2 通道嵌入 Microsoft Teams 流量中。由於 Teams 是一個獲授權、加密且高流量的企業工具,惡意通訊得以與正常的網絡活動無縫融合。傳統的允許清單和邊界防禦機制——通常信任往返 Microsoft 365 端點的流量——未能發出任何警報。
根據報導,攻擊者部署了一個被識別為 Backdoor.Turn 的自訂後門程式,利用 Teams 中繼伺服器作為中介。該後門程式亦被認為採用了「自帶漏洞驅動程式」(Bring Your Own Vulnerable Driver, BYOVD) 技術,以在端點層面獲取更深層的系統存取權限。結果顯而易見:防禦者數週以來看到的都是看似合法的微軟雲端流量,而勒索軟件組織則悄然維持其持久性,並為最終的 payload 投放做準備。
為何傳統防禦失效
此事件暴露了許多組織安全態勢中的一個關鍵盲點。封鎖已知惡意域名和 IP,加上將受信任服務加入允許清單的傳統模式,在對手刻意依附這些服務時已不再有效。全球數億工作者使用的 Microsoft Teams 產生了海量的加密流量,很少有組織會進行深度檢查。
對於嚴重依賴 Microsoft 365 的企業——這涵蓋亞太地區各種規模的企業——其啟示十分明確:信任平台不等於信任通過該平台的所有內容。缺乏對協作工具流量中行為模式的可見度的安全團隊,實質上是在蒙眼操作。
企業 IT 團隊的實際步驟
DragonForce 事件是一個具體的契機,促使我們重新檢視對協作工具的監控與治理方式。安全團隊應考慮採取以下行動:
- 在協作平台流量上實施行為分析。 Teams 或類似工具中的流量異常、異常連接模式及非典型會話持續時間,應觸發調查——即使目標 IP 屬於微軟。
- 對所有連接強制實施零信任驗證。 無論流量來源或表面合法性如何,都不應被隱式信任。每個會話都應經過身份驗證和驗證。
- 部署並調整端點偵測與回應 (EDR)。 Backdoor.Turn 和 BYOVD 技術的使用,表明初始入侵很可能涉及端點層面的漏洞利用。具備針對可疑驅動程式載入及程序鏈的自訂偵測規則的強大 EDR,可以捕捉到網絡監控遺漏的內容。
- 檢視 Microsoft Teams 中繼和外部存取策略。 在非必要時限制外部租戶通訊,並監控 Teams 中繼功能的異常使用。
- 進行針對受信任服務濫用的威脅搜尋演練。 主動搜尋隱藏在授權雲端平台內的 C2 活動指標,而不僅僅是針對外部攻擊面。
- 檢視協作工具與關鍵基礎設施之間的分段。 即使攻擊者入侵了基於 Teams 的通道,適當的網絡分段也能限制橫向移動。
更廣泛的警告
DragonForce 事件不太可能是一個孤立的個案。隨著端點和邊界防禦的改善,老練的威脅行為者正日益轉向組織最為信任的工具。協作平台、雲端儲存服務及其他授權的企業應用程式,為攻擊者提供了便利的隱藏場所——加密、高流量,且通常被排除在深度檢查之外。
對於 IT 安全專業人員而言,教訓十分清晰:邊界不僅僅是轉移到雲端——它已融入員工日常使用的應用程式之中。防禦此類威脅,需要對現代安全架構中「受信任」的含義進行根本性的重新思考。