A brazen ransomware attack against a major U.S. services company in December 2025 has revealed a sophisticated new evasion technique: attackers hid their command-and-control (C2) infrastructure inside Microsoft Teams relay servers. The DragonForce ransomware group deployed a custom Go-based backdoor that piggybacked on legitimate Teams media traffic, making detection exceptionally difficult. This incident marks the first known instance of threat actors abusing the Teams relay architecture to blend malicious communications with daily enterprise collaboration traffic.

Security researchers investigating the breach found that the attackers had gained initial access through a compromised partner account, then moved laterally across the victim’s network for over two weeks before launching the ransomware payload. During that dwell time, the custom backdoor regularly called home using the same UDP and TCP channels that Teams employs for audio, video, and screen sharing. The C2 servers were located in cloud-hosted virtual machines, but the traffic appeared to originate from Microsoft’s own relay infrastructure, effectively bypassing network egress filters that trusted Teams IP ranges.

“This represents a step change in stealth,” noted one incident responder who spoke on condition of anonymity. “Traditional C2 channels stick out because they talk to unknown IPs or use odd protocols. But by riding on Teams’ own plumbing, the attackers made their traffic indistinguishable from the terabytes of legitimate Teams data flowing through the enterprise every day.”

The backdoor, dubbed “TeamsPipe” by the response team, was written in Go and compiled with obfuscation to evade static analysis. It established a WebSocket connection to a Microsoft Teams relay server and then used a custom messaging layer to receive commands and exfiltrate data. Because the communication was encrypted end-to-end via TLS and encapsulated within the Teams signaling protocol, even deep packet inspection tools failed to flag it.

What Is DragonForce Ransomware?

DragonForce first appeared in mid-2024 and quickly gained notoriety for targeting high-value enterprises in North America and Europe. The group operates a double-extortion model: encrypting files and threatening to leak stolen data unless a ransom is paid. Their encryption routine uses a combination of AES-256 and RSA-2048, leaving files with the .dragonforce extension and dropping ransom notes named HOW_TO_RECOVER.txt.

Previous DragonForce campaigns relied on more conventional C2 methods—HTTPS beacons to attacker-controlled domains, DNS tunneling, and abuse of legitimate services like Slack and Telegram. The shift to Microsoft Teams relays shows the group is actively researching the internal communication patterns of their targets to craft bespoke evasion strategies. Security analysts believe the group has ties to an Eastern European cybercrime gang, citing code overlaps with older ransomware families.

The Attack: Hiding C2 in Teams Relays

The December 2025 attack unfolded in three phases:

  1. Initial compromise: Attackers phished credentials from an employee at a third-party vendor that had federated Teams access to the target organization. Once inside, they used those credentials to authenticate to the victim’s Azure AD tenant and register a malicious device.

  2. Lateral movement and persistence: Using the compromised identity, the attackers identified a Windows Server 2025 machine running a legacy IIS application with a known privilege escalation flaw (CVE-2024-49138). They deployed the TeamsPipe backdoor as a service named “TeamsMediaRelay” to appear benign.

  3. Data exfiltration and ransomware deployment: Over 18 days, the backdoor exfiltrated over 800 GB of sensitive project data to attacker-controlled OneDrive accounts by embedding the data in fake Teams meeting recordings. On the nineteenth day, the ransomware payload was pushed to all domain-joined machines via Group Policy, encrypting on-premises and cloud file shares.

The abuse of Microsoft Teams relays specifically exploited the fact that many enterprises whitelist Microsoft’s IP ranges and domains for performance and reliability reasons. “Teams traffic is almost universally allowed through firewalls and proxies because breaking it means breaking collaboration,” said a network security architect who reviewed the incident. “Attackers counted on that fact, and they were right.”

Technical Analysis of the Go Backdoor

TeamsPipe is a 3.4 MB Go binary that uses the following techniques:

  • Process injection: It injects shellcode into a legitimate Teams.exe process, then takes control of its network sockets.
  • Relay impersonation: It modifies the Teams client’s WebSocket handshake to point to a malicious relay node, which then forwards commands through Microsoft’s actual relay infrastructure. The malicious relay was an attacker-controlled server that implemented a subset of the Interactive Connectivity Establishment (ICE) protocol used by Teams.
  • Encrypted command channel: Commands are base64-encoded JSON blobs hidden in the X-Ms-UserRole header of a specially crafted SDP offer. The backdoor parses these headers and executes corresponding actions: shell, upload, download, sleep, and encrypt.
  • Anti-forensics: The binary clears Windows event logs related to service installation (Event ID 7045) and uses direct system calls to avoid user-mode API hooks. It also checks for the presence of common EDR drivers and adjusts its behavior to avoid triggering alerts.

Analysis of the C2 infrastructure revealed that the attackers leveraged Azure VMs in the East US region, each running a modified coturn TURN/STUN server to relay the malicious commands. By registering these servers with Microsoft’s Teams relay discovery endpoints, they effectively became part of the federation, making the traffic indistinguishable from normal Teams signaling.

Implications for Windows Enterprise Security

The DragonForce attack underscores a growing challenge: as Microsoft 365 and Teams become the backbone of enterprise communication, they also expand the attack surface in ways that traditional network security tools cannot easily address. Perimeter-based defenses that trust Microsoft’s IP ranges and domains are no longer sufficient. Even advanced threat protection that inspects TLS traffic would need to decrypt and inspect Teams streams in real time, which is computationally expensive and can break media quality—a trade-off most organizations have been unwilling to make.

“This is a nightmare scenario for the ‘allow if Microsoft’ mindset,” said a senior analyst at a major cybersecurity firm. “The attackers have effectively weaponized our trust in the platform. We must now treat Teams traffic as potentially hostile, just like any other internet traffic.”

For Windows administrators, the attack highlights several critical gaps:

  • Lack of visibility: Most security tools focus on known malicious destinations or anomalies in HTTP traffic. They are blind to threats that mimic legitimate application protocols within trusted services.
  • Identity and access sprawl: The initial breach came from a partner’s account with federated access, yet many organizations do not apply the same conditional access policies to external identities as they do to internal ones.
  • Endpoint blind spots: Even with EDR solutions, a carefully crafted Go backdoor using direct system calls and process injection can evade detection by design.

How to Defend Against Teams-Based C2 Attacks

While there is no silver bullet, Windows defenders can implement several measures to reduce the risk of similar attacks:

1. Implement Zero Trust for Microsoft Teams Traffic

Treat Teams traffic with the same skepticism as any web traffic. Replace IP allowlisting with Zero Trust principles: verify identity, device health, and risk level for every session. Use Azure AD Conditional Access to require MFA, compliant devices, and risk-based authentication for all Teams access—including guest and external users.

2. Deploy Advanced Endpoint Detection

Invest in EDR solutions that use behavioral analysis rather than signature-based detection. Look for capabilities such as:
- Detection of process injection and hollowing
- Anomalous use of Windows services
- Unusual network connections from Teams.exe
- Tampering with event logs

Regularly test EDR effectiveness by simulating the TeamsPipe techniques using open-source tools like Atomic Red Team.

3. Inspect Teams Network Traffic

Where possible, enforce TLS inspection for Teams traffic—but be aware of the performance impact. A more practical approach is to use proxy-based filtering that examines TLS handshake metadata, certificate chains, and SNI hostnames. Suspicious patterns, such as connections to Microsoft IPs that present certificates not issued to Microsoft’s known domains, should be blocked and investigated.

Additionally, monitor for unexpected protocols. Teams uses STUN/TURN for media, but the backdoor’s relay used a non-standard modification of ICE. Anomalies in the ICE candidate exchange can be detected using custom Suricata or Zeek scripts.

4. Enforce Application Control

Use Windows Defender Application Control (WDAC) or AppLocker to restrict which binaries can execute. The TeamsPipe backdoor relied on launching a Go binary from a suspicious location (C:\ProgramData\Microsoft\TeamsMediaRelay\). Creating WDAC policies that only allow signed Microsoft binaries in common directories would have prevented execution.

Enable tamper protection and protected process light (PPL) for critical security services to prevent process injection.

5. Harden Identity and Federation

Review all external identities with access to Teams and apply strict controls:
- Use Azure AD B2B entitlement management to limit guest access duration.
- Enforce MFA and cross-tenant access policies that inspect device compliance.
- Regularly audit federation trusts and delete unused connections.

6. Monitor for Anomalous Microsoft Graph API Activity

The backdoor used Microsoft Graph APIs to enumerate users, download emails, and create fake meeting recordings. Enable audit logging for all Graph API operations and set alerts for bulk downloads, unusual meeting creation patterns, or access from non-interactive sign-ins.

7. Practice Incident Response

Simulate a TeamsPipe-style attack in a test environment to validate your SOC’s ability to detect it. Key indicators of compromise (IOCs) from the December 2025 attack include:
- Service installation with the name “TeamsMediaRelay”
- Outgoing TCP connections to IP addresses within Microsoft’s known VPN ranges but on non-standard ports
- Memory anomalies in Teams.exe (e.g., RWX pages)
- Unusual modifications to the Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services registry key

What Microsoft Is Doing

Microsoft has acknowledged the abuse of Teams relay infrastructure and is working on mitigations. In a January 2026 statement, the company said: “We have released updates to Teams signaling to better validate the authenticity of relay endpoints. Additionally, we are enhancing Microsoft Defender for Office 365 with new detections for anomalous Teams traffic patterns and unauthorized relay use.”

Microsoft also advised customers to transition to Teams Premium, which includes additional security features like end-to-end encryption for meetings, advanced network telemetry, and the ability to block unregistered relay servers.

The Long-Term Outlook

The DragonForce attack is a harbinger of things to come. As more business processes converge on collaboration platforms, they become lucrative targets for sophisticated adversaries. Windows and Microsoft 365 administrators must evolve their defense strategies from a perimeter-based model to a data-centric, identity-focused one that assumes breach.

“We’re going to see more attackers leveraging trust relationships in the cloud,” predicted a CISO whose company was unaffected by the breach. “The question isn’t whether you’ll be targeted this way, but whether you’ll detect it before the ransomware payload hits.”

The good news is that the security community is adapting. Open-source projects are emerging to detect ICE/TURN abuse, and the incident has spurred broader adoption of Zero Trust architectures. For Windows defenders, the time to act is now.

Failing to do so could mean the next Teams call you join might be the one that encrypts your data.