DragonForce just turned your Microsoft Teams into a ransomware command center

579 companies are compromised.

Symantec just disclosed that DragonForce ransomware deployed a custom Go-based backdoor called Backdoor.Turn — the first known malware to weaponize Microsoft Teams relay infrastructure for command-and-control traffic.

Your security team cannot tell the difference.

The technique works like this: Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft's Skype-backed identity services.

It routes C2 traffic through a legitimate Microsoft TURN relay — the same infrastructure your Teams calls use every day.

Then it establishes a QUIC session directly to the attacker's server.

Every network monitoring tool on your stack sees outbound connections to legitimate Microsoft infrastructure.

There is no CVE. There is no software vulnerability. The attackers are abusing a trust relationship your network was built to permit.

One major U.S. services firm was inside for two months before encryption deployed. DragonForce now operates as a formalized cartel targeting companies with $15M+ annual revenue.

They used BYOVD techniques with four vulnerable drivers including a novel Huawei exploit to kill EDR before your SOC could blink.

If your enterprise runs Microsoft Teams — and it does — your most trusted communication platform is now your most dangerous blind spot.

Audit your Teams relay traffic patterns today. Baseline normal TURN activity now, before you need to detect the anomaly.

SOURCE: https://www.security.com/threat-intelligence/dragonforce-msteams-backdoor
VERIFIED: Symantec Threat Hunter Team (security.com), BleepingComputer (June 16, 2026), SecurityAffairs (June 17, 2026)
SIGNAL: Every enterprise using Microsoft Teams just inherited a C2 channel that blends into legitimate traffic. This is the first confirmed abuse of TURN relay infrastructure in the wild — and your EDR can't see it.