RSS

Crooks found a new way to collaborate using Teams, by hiding C&C traffic

Bender1 pts0 comments

Crooks found a new way to collaborate using Teams – by hiding command-and-control traffic

Jump to main content

Search

REG AD

Cyber-crime

Crooks found a new way to collaborate using Teams – by hiding command-and-control traffic

Custom malware routed communications through legitimate Microsoft services, making malicious activity look like routine corporate collaboration

Carly Page

Carly<br>Page

Published<br>tue 16 Jun 2026 // 15:41 UTC

Cybercrims deploying DragonForce ransomware appear to have gained access to a major US services company's network, then spent two months up to no good while disguising their command-and-control activities as legitimate Microsoft Teams traffic.<br>Researchers at security firm Symantec said the intrusion began with attackers gaining access to the victim's environment before deploying a custom Go-based backdoor, tracked as "Backdoor.Turn," to maintain communication with the compromised systems. Rather than reaching out to attacker-controlled infrastructure that might raise alarms, the backdoor hid its activity inside traffic associated with Microsoft's widely used collaboration platform.<br>To anyone monitoring network traffic, the compromised systems appeared to communicate only with legitimate Microsoft servers.

REG AD

"The attackers in this campaign use exceptionally sophisticated cyber tradecraft," Symantec said. "The configuration of Backdoor.Turn means that security products only see C&C traffic going to legitimate Teams servers, leaving defenders unaware that data is being siphoned away by malicious actors."

REG AD

Symantec said the attackers installed Backdoor.Turn on systems after deploying DragonForce ransomware, potentially giving them a way back into compromised networks or access they could later sell to other criminals.<br>To connect to Microsoft's infrastructure, the backdoor first requested an anonymous visitor token from Microsoft Teams and Skype back-end services. It then used a Microsoft-operated TURN relay server – infrastructure typically used to help establish communication between users – before establishing a direct QUIC connection to a malicious command-and-control server.

MORE CONTEXT

Scammers keep scoring: Brits fleeced for £1.3B as Americans lose $3.5B to impersonators

ShinyHunters hacked 100+ orgs by exploiting an Oracle PeopleSoft 0-day

Ransomware crims got a month-long head start on Check Point VPN 0-day that now has a fix

Pink is the latest goon squad to use fake helpdesk calls to steal creds

Symantec said this is the first known case of malware using this particular technique.<br>The security firm did not identify the victim beyond describing it as a major US services company, nor did it say whether the Teams-based communications channel had been observed in other DragonForce incidents.<br>The ransomware operation has become increasingly prominent over the past year, operating a ransomware-as-a-service model that allows affiliates to conduct attacks under the DragonForce banner. It has been linked to the prolific Scattered Spider group, which has conducted a string of high-profile attacks, including intrusions targeting major retailers in the UK.<br>While attackers have long abused legitimate cloud services to conceal malicious traffic, Symantec's findings suggest that DragonForce operators continue to look for ways to blend into the software and infrastructure that organizations trust most. ®

security<br>microsoft<br>cyber-crime<br>microsoft teams<br>ransomware

REG AD

SYSTEMS

There's no such thing as an agentic CPU

AI agents are a general-purpose workload no different from any other

Software

Firefox 152 understands “Sssh!”

As Google continues crippling Chrome ad-blockers, it’s a good time to try Firefox

ZTE Day 2026 in Almaty Showcases Innovations Shaping Kazakhstan's Intelligent Telecom Future

PARTNER CONTENT: Empowering Kazakhstan’s "Year of Digitalization and AI" with Next-Gen Connectivity and Supercomputing Solutions

SOFTWARE

Microsoft faces down sueball, capacity problems in series of challenges

Misleading statements about Copilot and AI? Surely not!

PAAS AND IAAS

Graviton 5 impresses, but please, for the love of all that's holy, stop calling them 'AI chips'

AWS better at running chip fabs than their mouths

Cyber-crime

Crooks found a new way to collaborate using Teams – by hiding command-and-control traffic

Custom malware routed communications through legitimate Microsoft services, making malicious activity look like routine corporate collaboration

MOST POPULAR

security

Feds freaked over Fable 5 after simple 'fix this code' prompt, not jailbreak, says researcher

ON-PREM

Amazon owns up to using 2.5bn gallons of H2O in its bit barns last year

Security

Angry bug hunter with Microsoft beef drops new Windows 0-day

Security

Signal says UK plan to scan devices for nude images 'endangers us all'

security

GitHub nukes 70+ Microsoft repos, breaks CI/CD pipelines, following suspected worm infections

EVENTS

From Prompt to Exploit: How...

microsoft teams traffic security using legitimate

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

Apple WWDC 2026 Livestream

nextstep32 ptsapple stream video event live feed

Claude Fable 5

Philpax30 ptsfable claude mythos model models capabilities

US Government directive to suspend access to Fable 5 and Mythos 5

Dylan131224 ptsfable government anthropic jailbreak access mythos

German ruling declares Google liable for false answers in AI Overviews

ahlCVA15 ptsgoogle court search overviews content users
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.