Ransomware Operators Abuse Microsoft Teams Relay Infrastructure to Evade Detection

Severity: High
Threat Type: Ransomware
Affected Technology: Microsoft Teams, Microsoft 365 Environments, Windows Endpoints
Threat Actor: DragonForce-affiliated ransomware operators
Date: June 2026

A significant evolution in ransomware tradecraft has emerged with threat actors leveraging Microsoft Teams relay infrastructure to conceal malicious communications within legitimate enterprise traffic. The technique represents a shift from traditional command-and-control channels toward the abuse of trusted cloud collaboration services that are already permitted in most corporate environments.

The activity involves the deployment of a custom backdoor capable of routing attacker communications through Microsoft Teams TURN (Traversal Using Relays around NAT) relay services. By utilizing Microsoft-owned infrastructure as an intermediary, attackers can blend malicious traffic with normal collaboration activity, reducing the effectiveness of network monitoring controls, IP reputation systems, allowlisting strategies, and traditional command-and-control detection methods.

This development is particularly concerning because it demonstrates how ransomware operators are increasingly abusing trusted enterprise platforms rather than relying on suspicious external infrastructure. As organizations continue to adopt cloud-first architectures and collaboration tools, the distinction between legitimate and malicious traffic becomes increasingly difficult to identify.

Key Findings

1. Microsoft Teams Infrastructure Used as a Covert Communication Channel

The observed malware utilizes Microsoft Teams TURN relay services to transport command-and-control traffic between compromised systems and attacker-controlled infrastructure. Rather than establishing direct outbound connections to malicious servers, infected systems communicate through Microsoft-owned relay infrastructure, making the activity appear legitimate from a network perspective.

This technique offers several advantages to attackers:

• Communications inherit the trust associated with Microsoft cloud services.
• Security products relying on domain reputation become less effective.
• Network monitoring teams face challenges distinguishing malicious activity from normal Teams traffic.
• Traffic inspection controls may generate significantly fewer alerts.

2. Trusted Applications Are Becoming Attack Infrastructure

Historically, organizations focus on blocking suspicious domains, malicious IP addresses, and known command-and-control servers. However, this campaign highlights a broader industry trend where adversaries exploit trusted business applications as part of their attack chain. Microsoft Teams is not compromised; rather, its legitimate communication mechanisms are being abused as cover for malicious operations. The result is a substantial reduction in the effectiveness of perimeter-centric security controls.

3. Extended Dwell Time Before Ransomware Deployment

Analysis of recent incidents indicates attackers maintained access within victim environments for an extended period before ransomware execution. By concealing command-and-control communications inside trusted collaboration traffic, operators were able to conduct reconnaissance, move laterally, and establish persistence while minimizing detection opportunities.

For executives, this means ransomware risk should no longer be viewed solely as an encryption event. The primary business risk begins weeks or months earlier when adversaries gain visibility into sensitive systems, intellectual property, privileged accounts, and business-critical operations.

Business Impact

Organizations utilizing Microsoft 365 and Teams should consider the following risks:

Operational Disruption

Successful ransomware deployment can result in:

• System outages
• Business process interruption
• Productivity losses
• Recovery and restoration costs

Data Theft and Extortion

Modern ransomware operations typically involve data exfiltration before encryption. Attackers may threaten public disclosure of sensitive information if ransom demands are not met.

Reduced Detection Capability

The abuse of trusted Microsoft infrastructure may delay detection timelines and increase attacker dwell time, providing additional opportunities for privilege escalation and lateral movement.

Reputational Damage

Organizations experiencing prolonged compromise may face regulatory scrutiny, customer trust issues, and reputational harm resulting from data exposure or service disruptions.

Indicators of Elevated Risk

Organizations should investigate:

• Unusual Teams-related network activity originating from endpoints rather than standard user workflows.
• Unexpected outbound communications associated with Teams processes.
• Long-lived connections involving Teams relay services from non-standard systems.
• Unauthorized administrative activity following Teams-related network anomalies.
• Increased authentication events, privilege escalations, or lateral movement preceding ransomware indicators.

Conclusion

This trend is expected to expand beyond Microsoft Teams to other collaboration, productivity, and cloud communication platforms. Security programs built primarily around blocking known malicious infrastructure will face increasing challenges as attackers continue to leverage legitimate enterprise services as operational cover. Organizations should treat this development as an indicator that modern ransomware defence requires visibility into user behaviour, identity activity, and cloud service usage not solely traditional network indicators of compromise.