DragonForce attackers hide command traffic inside Microsoft Teams

Symantec researchers said Tuesday that DragonForce ransomware operators broke into a major U.S. services company and hid command-and-control traffic inside Microsoft Teams infrastructure for about two months.

The attackers deployed a custom Go-based backdoor that Symantec calls Backdoor.Turn. The malware requested an anonymous visitor token from Microsoft Teams and Skype back-end services, used a Microsoft-operated TURN relay server, then opened a QUIC connection to an attacker-controlled command server.

That design gave defenders a hard problem. Network tools could see traffic to Microsoft services, while the attackers used that trusted path to control compromised systems and move data out of the environment.

Symantec researchers said they had not seen malware use this Teams relay technique before. They did not name the victim, identify affected customers, or say whether DragonForce affiliates used the same method in other intrusions.

DragonForce runs a ransomware-as-a-service operation, which lets affiliates use the brand and infrastructure for their own attacks. Security researchers have tied the operation to Scattered Spider activity, including attacks on major U.K. retailers.

The legal exposure depends on what the attackers accessed. If investigators find personal data in the stolen material, the victim company may face breach notification duties, customer notices, regulator questions, and lawsuits.

Under GDPR Article 33, controllers must notify a supervisory authority within 72 hours after they become aware of a personal data breach, unless the breach poses no risk to people’s rights and freedoms. Under GDPR Article 34, controllers must tell affected people without delay when a breach creates a high risk.

European regulators can also examine whether the company used security controls that matched the risk. GDPR Article 83 allows fines up to 10 million euros, or 2% of annual global revenue, for certain controller and processor obligations. More serious violations can reach 20 million euros, or 4% of annual global revenue.

California residents would look to the CCPA and related breach law if attackers accessed covered personal information. California Civil Code Section 1798.150 lets consumers seek $100 to $750 per consumer per incident, or actual damages, when a business fails to maintain reasonable security and certain personal information suffers unauthorized access, theft, disclosure, or exfiltration.

For users, the risk extends beyond locked files. Ransomware crews often take employee records, customer files, contracts, credentials, and support data before they encrypt systems. A Teams-shaped tunnel can delay detection, which gives attackers more time to copy information that can feed fraud, extortion, and account takeover.

Companies should treat trusted cloud traffic as inspectable traffic. Security teams need logs for Teams token requests, unusual TURN relay use, unexpected QUIC sessions, and service traffic from servers that do not need collaboration tools. Teams allow-listing alone gives attackers cover if they can make their traffic resemble normal Microsoft activity.

The incident also raises a vendor-risk lesson. Organizations depend on Microsoft 365 for identity, chat, calls, files, and meetings. Attackers know defenders hesitate to block those services. Companies need egress rules, identity monitoring, endpoint telemetry, and data-loss controls that can distinguish a worker’s Teams session from a backdoor using Teams plumbing.

DragonForce operators used a familiar ransomware pattern with a sharper hiding place: gain access, keep a foothold, route control traffic through a trusted platform, and preserve options after encryption. Regulators and customers will care less about the novelty of the technique than the company’s answer to a plain question: who accessed personal data, and why did the company’s controls miss them for two months?