DragonForce's 2025 Teams Relay Abuse: Why Your Network Logs Are Lying to You
Social engineering attacks using Teams, such as fake IT support or malicious links, are common and rely on human error. But what the DragonForce ransomware gang did in December 2025 is a different class of problem. Their sophisticated Teams relay abuse made command-and-control (C2) traffic appear as legitimate Microsoft Teams traffic, bypassing network defenses.
Symantec's discovery of this operation against a major U.S. services company reveals an advanced abuse of core communication protocols, which network defenders must analyze. This wasn't about a user clicking a bad link; it was a sophisticated Teams relay abuse designed to weaponize a core communication protocol and blend in.
The Attack Chain: Blending In With Microsoft's Own Traffic
DragonForce, a group active since at least 2023 and linked to Scattered Spider, launched a multi-stage attack. Initial access in the December 2025 incident likely came from an unknown flaw in an SQL or MSSQL server. After gaining entry, they dropped a ZIP archive containing a legitimate executable (VirtualBox/DbgView) and a malicious DLL for sideloading.
Once inside, they established persistence by creating rogue users, bypassing Windows' LimitBlankPassword policy, and modifying firewall rules. This initial phase is common, but the subsequent C2 mechanism was not.
Central to this attack is their custom Go-based malware, Backdoor.Turn. This Remote Access Trojan (RAT) was injected into DbgView64.exe after the initial ransomware deployment, indicating a desire for a persistent backdoor even after the primary attack.
The C2 chain involved several steps:
- Backdoor.Turn obtains an anonymous Teams visitor token, a legitimate function of the Teams client.
- It then uses a legitimate Microsoft Traversal Using Relays around NAT (TURN) relay during connection setup. TURN is a protocol designed to help real-time communication, like video calls, traverse firewalls and NATs.
- After establishing this connection through the Microsoft relay, Backdoor.Turn connects to the attacker's C2 server.
The practical impact: the C2 traffic, the primary channel for attacker control of their malware, appears to originate from and route through legitimate Microsoft Teams infrastructure. It looks like normal Teams activity. This is why traditional network monitoring, which often trusts traffic to known Microsoft endpoints, struggles to flag this specific Teams relay abuse.
DragonForce C2 traffic disguised as Teams relay activity.
This isn't a theoretical exploit. Praetorian demonstrated a similar concept, 'Ghost Calls,' in 2025, showing how temporary TURN credentials could create stealthy communication tunnels. Backdoor.Turn is the first known instance of malware actually doing this in the wild, abusing Microsoft Teams TURN relays for C2. This Teams relay abuse represents a critical evolution in attacker methodology, moving beyond social engineering to weaponize Teams' underlying protocols.
The Evasion Game: Drivers and Stealth
DragonForce didn't stop at C2 stealth and Teams relay abuse. Their operation also included multiple evasion tactics, employing a "Bring Your Own Vulnerable Driver" (BYOVD) approach. They exploited:
- Huawei’s
HWAuidoOs2Ec.sys("Havoc Process Terminator") - Topaz Antifraud
wsftprm.sys(CVE-2023-52271) - Tower of Fantasy GameDriver
x64.sys(CVE-2025-61155) - K7 Security
K7RKScan.sys(CVE-2025-1055) - Their own custom malicious driver, ABYSSWORKER, designed to masquerade as a legitimate Palo Alto driver.
These drivers allowed them to bypass security controls, terminate processes, and maintain a foothold. The combination of stealthy C2 and advanced driver-based evasion meant DragonForce could operate for an extended period before deploying their ransomware and exfiltrating data.
What This Means for Defenders
While discussions around Teams security often focus on social engineering tactics like phishing or malicious file sharing, this DragonForce attack highlights a fundamentally deeper, more technical challenge: it's not about tricking a user, but tricking the network itself through sophisticated Teams relay abuse. This method represents a significant shift, demanding a re-evaluation of how organizations perceive and defend against threats leveraging trusted communication platforms.
The practical impact is that your network logs might show perfectly legitimate connections to Microsoft's infrastructure, even while malicious C2 traffic flows through it. This makes traditional perimeter defenses, which often whitelist Microsoft domains, significantly less effective for detecting this specific type of Teams relay abuse activity. Defenders must now look beyond simple destination IPs and scrutinize the behavioral context of network flows.
Symantec has published a complete list of Indicators of Compromise (IoCs), which is a critical starting point for detection. Beyond that, we need to rethink how we monitor trusted application traffic.
To counter such sophisticated attacks, a strategic shift in defense posture is imperative. We can no longer simply trust traffic because it's destined for a Microsoft IP, especially in light of Teams relay abuse. Instead, defenders must prioritize deeper network visibility to identify behavioral anomalies, such as unusual outbound connections from Teams processes after relay use, or atypical TURN traffic patterns for a given user or machine. This moves beyond simple whitelisting to inspect the context and intent of connections.
Enhanced Endpoint Detection and Response (EDR) solutions, especially those with advanced behavioral analytics, are critical for detecting activity on the machine itself, regardless of network stealth achieved through Teams relay abuse. EDR can identify Backdoor.Turn's injection into DbgView64.exe, the creation of rogue users, and the loading of malicious or vulnerable drivers like Huawei’s HWAuidoOs2Ec.sys, Topaz Antifraud wsftprm.sys (CVE-2023-52271), Tower of Fantasy GameDriver x64.sys (CVE-2025-61155), K7 Security K7RKScan.sys (CVE-2025-1055), or the custom ABYSSWORKER. This endpoint visibility is paramount when network-level detection is compromised.
Furthermore, rigorous application of Zero Trust principles is essential. Don't implicitly trust traffic just because it's using a Microsoft service. Verify every connection, every user, and every device. This means implementing micro-segmentation and strict access controls, ensuring that even if an attacker gains a foothold via an initial SQL/MSSQL server flaw, their lateral movement is severely restricted.
Finally, vulnerability management remains non-negotiable. The initial access point in this December 2025 incident was an unknown flaw in an SQL or MSSQL server. This underscores that even with sophisticated C2 and evasion tactics, the foundational defenses of patching and securing your attack surface are paramount.
This isn't a vulnerability in Teams itself, but an abuse of its design and a legitimate protocol. It demonstrates the continuous evolution of attacker tactics, requiring our defenses to adapt proactively. The DragonForce Teams relay abuse serves as a stark reminder that relying solely on network-level whitelisting for trusted services is no longer enough. We have to assume that even legitimate channels can be weaponized, demanding a multi-layered, behavioral-centric security approach.
