Back to threat alerts

DragonForce Backdoor.Turn Campaign of Weaponisation Microsoft Teams

Ransomware cartel known as DragonForce, has been observed successfully weaponising Microsoft Teams' network relay infrastructure to mask command-and-control communications. By routing malicious operations through official Microsoft infrastructure, the threat actors rendered their activities virtually indistinguishable from legitimate business collaborations, evading traditional detection mechanisms.

Threat alert
June 17, 2026

Since its emergence in June 2023, DragonForce has matured from a standard Ransomware-as-a-Service (RaaS) developer into a highly organised cartel with advanced tooling development, and structural adjustments aimed at maximizing illegal revenues. Rather than simply renting out ransomware builds, DragonForce allows trusted affiliates to establish and market their own unique extortion brands while leveraging DragonForce's underlying backend infrastructure, payment collection portals, and leak sites.  

Modern web-conferencing software relies on a protocol collection called Web Real-Time Communication (WebRTC). In an ideal WebRTC scenario, two computers establish a direct, peer-to-peer (P2P) network connection to exchange data, bypassing intermediate servers to minimise latency.

In corporate environments, direct connections are rarely possible due to Network Address Translation (NAT) and strict firewalls. To solve this traversal problem, real-time communication systems use helper technologies:

  1. STUN (Session Traversal Utilities for NAT): This utility allows an internal computer to query an external server to discover its own public-facing IP address and port mapping.
  1. Symmetric NAT Obstacles: STUN fails when the network uses "Symmetric NAT". In these configurations, the firewall assigns a different external port mapping for every unique external IP destination. This means the address discovered via the STUN server cannot be used by a third-party peer to connect to the host.
  1. TURN (Traversal Using Relays around NAT): When direct P2P connection attempts fail, the system relies on TURN. A TURN server acts as a trusted proxy on the public internet. Both endpoints establish outbound connections to the TURN server, which relays the media stream between them.

Running a global relay network is highly resource-intensive. To prevent unauthorised usage, cloud communication providers protect access to their TURN servers. Legitimate web clients must query a backend identity service to obtain temporary, authenticated TURN credentials. The primary security blind spot stems from industry-standard performance recommendations. To prevent voice and video lag, software vendors recommend that organisations exclude collaboration subdomains, such as *.teams.microsoft.com, from deep SSL decryption and TLS inspection.  

The Backdoor.Turn Communication Loop

The Backdoor.Turn payload represents the first observed real-world exploitation of this technique by utilising the Microsoft Teams TURN relay infrastructure, the malware establishes a covert communications channel.

This communication process operates through a precise sequence of actions:

  1. Visitor Token Request: The malware contacts Microsoft’s Skype-backed identity services to request an anonymous Teams "visitor token". This token is normally used to allow external, unauthenticated guests to join corporate Teams meetings without logging in.
  1. Relay Authentication: Using this signed token, the backdoor authenticates with Microsoft’s official Teams server infrastructure.
  1. TURN Session Initialisation: The malware establishes an authenticated outbound connection to a legitimate Microsoft TURN relay server.
  1. QUIC Encapsulation: Over this established relay session, Backdoor.Turn initiates a direct, encrypted QUIC (Quick UDP Internet Connections) session. QUIC is a modern network transport protocol designed to run over UDP.
  1. Covert Routing: The Microsoft TURN server receives the UDP packets and relays them directly to the attacker’s command-and-control server.  
Microsoft Teams Administrative Hardening

The primary method to block Backdoor.Turn is restricting how anonymous guest users can interact with your organisation's Microsoft Teams tenant. If the tenant is configured to block anonymous connections, the backdoor cannot obtain the visitor tokens required to initiate the communication loop.

Recommendations
  • Enforce Driver Blocklists: Turn on Windows Defender Application Control (WDAC) policies. Microsoft actively maintains a recommended driver blocklist specifically designed to prevent BYOVD attacks by blocking known vulnerable third-party drivers.
  • Enable Hypervisor-Protected Code Integrity (HVCI): Enforce HVCI (Core Isolation) across all endpoints. HVCI uses virtualisation to isolate the driver signature verification process, ensuring that even administrative processes cannot load unauthorised or modified drivers into memory.
  • Audit Non-Standard Driver Loads: Configure Endpoint Detection and Response (EDR) systems to alert on the installation of drivers associated with gaming software, non-enterprise hardware utilities, or deprecated system utilities on server hosts.
  • Audit Outbound TURN Traffic: Monitor outbound TURN connection attempts over UDP port 3478, TCP port 443, or specialized media ports. Outbound TURN traffic originating from non-standard processes should be flagged for immediate investigation.