Security researchers have uncovered a novel tactic by the DragonForce ransomware group: tunneling command-and-control communications through Microsoft Teams relay infrastructure using a custom-built remote access trojan, effectively hiding malicious traffic inside one of the world's most widely used enterprise collaboration platforms.
The discovery, detailed by Symantec and Carbon Black — both owned by Broadcom — reveals that the attackers deployed a Go-based backdoor dubbed "Backdoor.Turn" against a major U.S. services firm. By routing C2 traffic through Microsoft's own Teams relay endpoints, the group exploits the trust organizations place in Microsoft 365 services, making malicious communications blend seamlessly with legitimate network activity.
How the Attack Works
The technique represents a significant departure from conventional C2 infrastructure. Rather than relying on attacker-controlled servers that defenders can block through IP reputation lists or domain blacklisting, DragonForce operators piggyback on Microsoft's own cloud infrastructure. Traffic to and from Teams relay endpoints is inherently trusted by most enterprise security stacks, making traditional network-level detection far less effective.
The Backdoor.Turn malware itself is written in Go, a language increasingly favored by threat actors for its cross-platform compilation capabilities and the difficulty it presents to reverse engineers. The combination of a bespoke Go-based RAT with abuse of a trusted SaaS platform demonstrates an operational maturity that blurs the line between traditional ransomware operations and more sophisticated threat actor tradecraft.
A Broader Trend Toward SaaS Abuse
The DragonForce campaign fits into a wider pattern where ransomware-as-a-service (RaaS) operations are adopting stealth techniques historically associated with nation-state actors. By embedding malicious infrastructure inside legitimate cloud services, these groups achieve several advantages: they reduce their operational footprint, complicate attribution, and bypass security controls designed around perimeter-based thinking.
This evolution demands a corresponding shift in defensive strategy. Organizations relying on traditional indicators of compromise — such as suspicious IP addresses or known-malicious domains — will struggle to detect this class of attack. Instead, security teams need to focus on behavioral anomaly detection within trusted SaaS platforms. Unusual patterns in Microsoft Teams API usage, atypical process-to-network correlations on endpoints, and deviations from baseline communication profiles within Microsoft 365 environments all become critical signals.
Implications for Enterprise Security Teams
For organizations running Microsoft 365, the findings underscore the importance of gaining visibility into how SaaS platform APIs are being used within their environments. Security operations centers should evaluate whether their monitoring capabilities extend to Teams API log analysis and whether their endpoint detection and response tools are calibrated to flag suspicious Go binaries engaging in unusual network behavior.
The incident also raises questions about the current state of detection readiness. Many security operations teams may lack the telemetry depth needed to identify this specific abuse pattern, particularly when C2 traffic is deliberately designed to mimic legitimate Microsoft service communications.
As ransomware groups continue to invest in custom tooling and infrastructure evasion, the gap between attacker capability and defender visibility appears to be widening. The DragonForce campaign serves as a reminder that trusted platforms can become attack surfaces, and that security strategies built solely around blocking known-bad indicators are increasingly insufficient against adversaries willing to operate from within the tools organizations use every day.
安全研究人員發現 DragonForce 勒索軟件集團採用了一種新穎策略:透過 Microsoft Teams 中繼基礎架構,利用定制的遠端存取木馬來隧道傳輸指令與控制通訊,有效地將惡意流量隱藏在全球最廣泛使用的企業協作平台之中。
此發現由 Broadcom 旗下的 Symantec 和 Carbon Black 詳細披露,顯示攻擊者部署了一個名為「Backdoor.Turn」的基於 Go 語言的後門程式,目標是一家主要的美國服務公司。該集團透過 Microsoft 自身的 Teams 中繼端點來路由 C2 流量,利用了企業組織對 Microsoft 365 服務的信任,使惡意通訊能無縫混入合法的網絡活動中。
攻擊運作方式
此技術標誌著與傳統 C2 基礎架構的重大偏離。DragonForce 的操作者並非依賴防禦者可透過 IP 信譽列表或域名黑名單封鎖的攻擊者控制伺服器,而是搭載於 Microsoft 自身的雲端基礎架構。進出 Teams 中繼端點的流量,基本上被大多數企業安全堆疊視為可信,這使得傳統的網絡層偵測效果大打折扣。
Backdoor.Turn 惡意軟件本身以 Go 語言編寫,該語言因其跨平台編譯能力以及為逆向工程師帶來的困難,日益受到威脅行為者的青睞。結合定制的 Go 基於 RAT 惡意軟件與濫用受信任的 SaaS 平台,顯示出一種使傳統勒索軟件行動與更精密的威脅行為者策略界限模糊化的操作成熟度。
更廣泛的 SaaS 濫用趨勢
DragonForce 的攻擊行動符合一個更廣泛的模式,即勒索軟件即服務 (RaaS) 操作正採用歷史上與國家級行為者相關的潛行技術。透過將惡意基礎架構嵌入合法的雲端服務中,這些集團獲得了多重優勢:減少其操作痕跡、使歸因更加複雜,並繞過基於邊界思維設計的安全控制。
此種演變要求防禦策略進行相應調整。依賴傳統指標(如可疑 IP 地址或已知惡意域名)的企業組織將難以偵測此類攻擊。相反,安全團隊需要著重於在受信任的 SaaS 平台內進行行為異常偵測。Microsoft Teams API 使用中的異常模式、端點上非典型的程序與網絡關聯,以及 Microsoft 365 環境中偏離基線通訊配置文件的情況,都成為關鍵信號。
對企業安全團隊的影響
對於運行 Microsoft 365 的企業組織而言,這些發現強調了掌握其環境中 SaaS 平台 API 使用情況的重要性。安全運營中心應評估其監控能力是否涵蓋 Teams API 日誌分析,以及其端點偵測與回應工具是否已調校以標記從事異常網絡行為的可疑 Go 二進制檔。
此事件亦引發了對目前偵測就緒狀態的疑問。許多安全運營團隊可能缺乏識別此特定濫用模式所需的遙測深度,尤其是當 C2 流量被刻意設計成模仿合法 Microsoft 服務通訊時。
隨著勒索軟件集團持續投資於定制工具和基礎架構規避技術,攻擊者能力與防禦者可視性之間的差距似乎正在擴大。DragonForce 的攻擊行動提醒我們,受信任的平台可能變成攻擊面,而完全圍繞封鎖已知不良指標建立的安全策略,對於那些願意在企業組織日常使用的工具內部運作的對手而言,正變得越來越不足。