Attackers spent two months inside a major US company's network while their malware communicated through legitimate Microsoft infrastructure, making the traffic indistinguishable from normal Teams activity to network defenders.
What happened
DragonForce ransomware operators have deployed a custom backdoor called Backdoor.Turn that conceals its command-and-control communications inside Microsoft Teams relay infrastructure, making malicious traffic appear to network defenders as normal outbound connections to legitimate Microsoft servers. According to BleepingComputer, the backdoor was deployed against a major US services firm, and the attackers remained on the victim's network for between one and two months. Researchers identified this as the first known case of malware using this specific technique. Backdoor.Turn obtains an anonymous visitor token from Microsoft's Teams and Skype identity services, uses a legitimate Microsoft TURN relay server infrastructure designed to help devices communicate when a direct connection is unavailable to set up the connection, and then establishes a session to the attacker's actual command-and-control server. The backdoor was injected into a legitimate Windows debugging process after the DragonForce ransomware had already been deployed, suggesting it was intended to maintain persistent access to the compromised network for future operations or resale to other criminal actors.
Going deeper
The technique exploits a fundamental assumption that network security tools make, which is that traffic to known legitimate infrastructure is safe. TURN relay servers, which stand for Traversal Using Relays around NAT, were designed to allow devices behind firewalls or on private networks to communicate with external services by routing traffic through Microsoft-operated relay points. Backdoor.Turn abuses that exact mechanism, routing its command traffic through the same relay infrastructure that handles legitimate Teams calls and messages. Once established, the backdoor can execute commands, create processes, scan the network, capture TLS certificates, search Active Directory for user and system data, collect website information, and steal browser credentials, a full post-compromise capability set delivered through traffic that looks entirely legitimate. According to The Hacker News, the technique builds on a communication method called Ghost Calls, documented by security researchers in August 2024, which demonstrated the theoretical possibility of hiding malware traffic inside Teams relay infrastructure. DragonForce has now deployed it in a confirmed real-world attack.
What was said
Researchers stated in the Symantec and Carbon Black report that "to network defenders, the only traffic they could see was outbound connections to legitimate Microsoft Teams servers," and described the campaign as using "exceptionally sophisticated cyber tradecraft." Researchers told SC World that the case "represents a clear example of how ransomware tradecraft has continued to evolve," and that "by routing communications through legitimate Microsoft relay servers, everything looks like normal Teams activity from a network perspective," making it "extremely difficult to detect using traditional controls like IP, domain, or reputation-based filtering."
In the know
DragonForce operates as a ransomware-as-a-service cartel with a public-facing recruitment approach that has drawn affiliates from disrupted operations, including Scattered Spider. According to The Register, the same attack also involved a bring-your-own-vulnerable-driver technique to disable endpoint security tools before the ransomware was deployed, adding another layer of defense evasion on top of the Teams relay concealment.
The big picture
Microsoft Teams is used by approximately 320 million people worldwide and is deeply embedded in healthcare clinical and administrative workflows. A backdoor that communicates exclusively through Teams relay infrastructure cannot be blocked by IP reputation lists, domain blocklists, or firewall rules targeting known malicious addresses, because the traffic goes only to Microsoft's own servers. For healthcare IT teams that have implemented network monitoring specifically to flag outbound connections to unfamiliar destinations, Backdoor.Turn does not produce alerts that the destination is a legitimate Microsoft address. According to Paubox's 2026 Healthcare Email Security Report, 53 percent of breached healthcare organizations in 2025 used Microsoft 365, making the Teams ecosystem the most prevalent collaboration infrastructure in the sector. A technique that hides ransomware persistence traffic inside that same infrastructure represents a targeted use of the most trusted platform in healthcare IT environments.
FAQs
What is a TURN relay server, and why does abusing it defeat network monitoring?
TURN relay servers are Microsoft-operated infrastructure that routes communication traffic when a direct connection between two points is not possible, such as when a device is behind a corporate firewall. Security tools that monitor network traffic for connections to unknown or suspicious destinations will not flag traffic to Microsoft's own TURN servers. By using these servers as a relay, Backdoor.Turn makes its communications indistinguishable from a Teams video call or meeting.
Why was the backdoor installed after the ransomware rather than before?
Installing a persistent backdoor after ransomware deployment suggests the attackers wanted to maintain access even after the victim became aware of the ransomware attack and began remediation. Victims focused on recovering from encryption may not immediately identify a dormant backdoor communicating through legitimate Teams traffic, allowing the attackers to retain a foothold for future operations or sell that access to other criminal groups.
What capabilities does Backdoor.Turn give an attacker once installed?
The backdoor provides command execution, process creation, network scanning, Active Directory searching, TLS certificate capture, website title collection, and browser credential theft. Those capabilities allow the attacker to conduct ongoing reconnaissance, expand their access within the network, and harvest credentials for additional systems or future campaigns.
What detection approaches work against this technique if IP and domain blocking do not?
Behavioral analysis that monitors what processes are doing rather than where they connect is more effective than reputation-based filtering against this technique. Specifically, flagging unexpected processes establishing network connections, monitoring for unusual authentication token requests to Microsoft identity services from non-Teams processes, and using endpoint detection tools that inspect memory for injected code rather than relying on network traffic analysis all provide coverage that destination-based monitoring cannot.
Should healthcare organizations block Microsoft Teams to prevent this technique?
Blocking Teams entirely is not a practical control, given its operational role in healthcare communications. The more targeted approach is ensuring endpoint detection tools are configured to flag code injection into legitimate Windows processes, like debugging utilities, monitoring for unusual anonymous authentication requests to Microsoft identity services, and maintaining network traffic baseline analysis that identifies anomalous volumes of Teams relay traffic from endpoints that do not normally generate it.
