Attackers can now turn Microsoft Teams and Zoom into invisible command-and-control backchannels without exploiting a single software flaw. Researchers from Praetorian have detailed a post-exploitation technique they call “Ghost Calls” that hijacks the temporary TURN credentials issued during conference calls, then repurposes the same globally distributed relay infrastructure enterprises trust for daily meetings. Because the malicious traffic rides inside encrypted media flows and originates from vendor-owned IP ranges, it slides through firewalls, proxies, and TLS inspection as easily as a routine standup.
“This isn’t a vulnerability in the classic sense,” explained the Praetorian team in a Black Hat USA 2025 briefing. “There’s no CVE to issue, no patch to apply. The attack abuses a feature that makes modern collaboration work across restrictive networks.” That makes Ghost Calls a uniquely stubborn threat — one that demands architectural response rather than a quick update cycle.
The Camouflage: Why Collaboration Traffic Works So Well
Enterprise security teams have spent years carving out broad exceptions for real-time communication. Microsoft Teams alone requires UDP 3478–3481 and TCP 443 open to Microsoft’s 52.112.0.0/14 media subnet, while Zoom documentation lists UDP 3478–3479 and sprawling UDP ranges between 20000–64000 alongside TCP 5091. These rules exist because video and audio don’t tolerate the latency spikes introduced by intrusive inspection; quality suffers if every packet gets prodded. Attackers understand this dynamic intimately.
“When you see a persistent DTLS flow to a Teams relay IP at 3 a.m., most sensors will interpret it as a long meeting — not an exfiltration channel,” says the community analysis. “That’s exactly the assumption Ghost Calls exploits.” The WebRTC media underlying these platforms is encrypted end-to-end with AES or similar strong ciphers, so even if an appliance captures the packets, the payload remains opaque. From a defender’s viewpoint, the traffic looks like ordinary video frames and audio samples, not malicious beacons.
This camouflage layer is further reinforced by the reputation of the source infrastructure. Attackers no longer need to register suspicious domains or stand up cloud servers that threat intelligence feeds can sinkhole. Instead, they piggyback on Microsoft’s and Zoom’s own transport relays — IP addresses that by definition belong on allowlists. “You’re not going to block Teams media if you want your CEO’s all-hands to work,” one forum commenter noted. “So the attacker’s pipe stays lit until someone correlates it with meeting logs.”
How Ghost Calls Operates Step by Step
Ghost Calls isn’t an initial access vector; it’s an evasion and persistence mechanism that assumes the attacker already has code execution on a compromised Windows endpoint. Once that foothold is established, the attack unfolds in three stages:
-
Credential Hijacking. When Microsoft Teams or Zoom joins a meeting, the client receives time-bound TURN credentials — a username, password, and relay address — that permit it to allocate a public relay port through which media will flow. These credentials are stored in memory or config files on the local machine. An attacker with elevated privileges (or the ability to inject into the meeting process) can extract them silently. Praetorian’s research indicates that in some configurations, those credentials remain valid for two to three days, though actual lifetimes vary by provider and tenant settings.
-
Tunnel Construction. With valid credentials in hand, the attacker’s tool — Praetorian’s proof-of-concept utility called TURNt — connects to the conferencing provider’s TURN server, authenticates, and creates a long-lived allocation. Unlike a normal meeting, this allocation isn’t paired with any scheduled call; it simply holds open a relay channel that becomes a bidirectional data pipe. On the victim side, a “relay” component binds a local SOCKS proxy to this allocation; on the attacker’s side, a controller routes C2 traffic through the same allocation, completing the tunnel.
-
Operational Exploitation. The tunnel now supports arbitrary TCP/UDP forwarding, giving the attacker a low-latency link to the compromised host for interactive command shells, file transfer, lateral movement via RDP or VNC, and data exfiltration — all transiting the same infrastructure that HR uses for onboarding sessions. “We demonstrated live VNC over a Zoom TURN relay at Black Hat,” the researchers told TechRadar. “It was indistinguishable from normal screen sharing.”
The Protocol Engine: TURN and Why It’s Central
TURN (Traversal Using Relays around NAT) is defined in IETF RFC 8656 and serves as the fallback when peer-to-peer connectivity fails. It allocates a public relay address, authenticates the client, and then forwards packets to a designated peer. Allocations carry permissions, channel bindings, and an expiration timer, but once granted, they allow arbitrary data — there’s no deep content inspection built into the standard. “The protocol treats any conforming payload as opaque,” the research notes. “That’s by design, because media packets can be anything from VP8 frames to SCTP data channels.”
Ghost Calls doesn’t violate the TURN specification. It uses the protocol exactly as intended: obtain valid credentials, create an allocation, send data. The only difference is the nature of that data — C2 beacons instead of H.264 nal units.
Strengths That Make Ghost Calls Potent
Multiple factors combine to turn this technique into a formidable evasion tool:
- Stealth by Association. Source and destination IPs are all “known good” vendor networks. There’s no domain generation algorithm to detect, no newly registered domains to track.
- Encapsulated Encryption. WebRTC media is already encrypted, so even if defenders break TLS inspection on port 443, they’ll see another layer of DTLS or SRTP inside — double-wrapped, legitimate-looking ciphertext.
- Performance. Enterprise TURN relays are engineered for sub-second latency to support real-time voice and video. That means C2 commands and exfiltration happen at team-meeting speeds, not the throttled rates of typical HTTP beaconing.
- Infrastructure Absorption. Attackers don’t need to maintain their own command servers, which reduces operational cost and complicates attribution.
Real-World Validation and the Mitigation Gap
Praetorian’s findings have been corroborated by multiple outlets, including SC Media and TechRadar, and the team released TURNt on GitHub to allow defenders to test their environments. At the time of publication, neither Microsoft nor Zoom had issued specific countermeasures for the core technique.
Zoom did ship a partial mitigation: the platform now restricts TURN relays to pairing a client with a media server, disabling direct peer-to-peer relay connections that could be abused for arbitrary tunnels. However, that safeguard only applies in architectures where TURN isn’t needed for P2P fallback. “We haven’t tested whether workarounds exist in this constrained model,” the researchers cautioned, leaving the door open for adaptive evasion.
Microsoft, which hosts tens of thousands of TURN relays across Azure regions, has yet to announce any binding of credentials to specific meeting contexts or device fingerprints. The current model issues credentials valid for multiple days, scoped broadly enough that a single session ticket can be reused outside the original call.
Weaknesses and Detection Opportunities
Despite its potency, Ghost Calls isn’t invisible to a well-instrumented defense:
- Credential Expiration. TURN allocations are finite. If the attacker cannot continually harvest fresh credentials — for example, by reinfecting or maintaining persistent access to the meeting client — the tunnel will time out. In environments with tight session monitoring, losing a tunnel mid-operation could be noisy.
- Meeting-to-Media Correlation. Microsoft Graph’s callRecords API provides rich metadata about every call, including participants, start/stop times, and media modalities. Correlating long-lived TURN flows against that telemetry can reveal “ghost” sessions — network flows with no corresponding call record. “If a Teams relay sees a DTLS channel open for four hours but Graph shows the last meeting ended three hours ago, you’ve got a smoking gun,” explains the windowsnews.ai forum analysis.
- Protocol Anomalies. Although the payload is encrypted, STUN/TURN message patterns can betray the tunnel. A legitimate meeting generates a flurry of binding requests, channel refresh messages, and periodic re-allocations. A C2 tunnel may show a single long-lived allocation carrying predominantly data channel traffic rather than media — a statistical fingerprint that perimeter sensors can flag.
- Process Scoping. Application control policies (AppLocker or Windows Defender Application Control) can limit which executables are allowed to open UDP sockets to Teams/Zoom media IP ranges. If a malware dropper tries to use those ports, the operating system can block it at the kernel level, independent of the attacker’s access to the original TURN credentials.
What Windows Administrators Must Do Now
Defenders can’t wait for the platforms to solve this problem, because the mechanism isn’t a bug — it’s a feature that businesses rely on. The following steps embed detection and prevention into the enterprise architecture:
1. Precision Egress Filtering
Replace broad “allow all” rules for Teams and Zoom with scoped IP-range pinning based on official vendor documentation. For Teams, explicitly restrict UDP 3478–3481 and TCP 443 to Microsoft’s media subnet 52.112.0.0/14 and the documented Transport Relay IPs. For Zoom, pin UDP 3478–3479, TCP 443/5091, and the wide media UDP range to Zoom’s published IP ranges — avoiding catch-all domain rules where possible. This shrinks the attack surface while keeping meetings functional.
2. Program- and Process-Based Firewall Rules
Craft Windows Defender Firewall rules that go beyond port/protocol. Allow only the signed Teams.exe and Zoom.exe binaries to communicate with the collaboration media IP ranges. Any other process — beacon, shell, tunneling tool — that attempts to send UDP packets to those addresses should be blocked and generate an alert. This effectively decouples the attacker from the legitimate credentials they’ve stolen.
3. Meeting-Aware Network Monitoring
Ingest Microsoft Graph callRecords data into your SIEM or SOAR platform. For every Teams media flow detected at the egress point, check whether a corresponding call ID exists with overlapping time boundaries. If a flow persists beyond the meeting end time by more than a configurable threshold (e.g., 15 minutes), treat it as a high-fidelity incident. For Zoom, equivalent data may be available via the Reports/Meetings APIs.
4. TURN/STUN Anomaly Detection
Deploy network sensors capable of parsing STUN and TURN messages at the perimeter — commodity NDR tools or protocol decoders on Zeek can extract message types, lifetimes, and data channel characteristics. Alert on:
- TURN allocations that exceed typical meeting durations (e.g., >4 hours).
- Data channel bindings opened without concurrent multimedia allocations.
- Endpoints that are not typical meeting participants (servers, interactive logon hosts with long idle periods).
5. Endpoint Hardening
Because Ghost Calls is post-exploitation, raising the bar for initial compromise reduces its relevance. Disable external federation and unmanaged guest access in Teams if not required; enforce conditional access policies for all collaboration logins; use EDR to detect suspicious child processes spawning from meeting clients — for example, cmd.exe, powershell.exe, or makeshift SOCKS relays appearing as descendants of Teams.exe.
6. Shorten Leash on TURN Credentials
Advocate with Microsoft and Zoom (via support channels, technical account managers, or UserVoice) for shorter credential lifetimes and tighter session binding. Some enterprises already implement internal policy to bounce meeting processes periodically or to clear local browser/media caches, but these are workarounds, not fixes.
The Vendor Responsibility
Industry consensus — echoed in both the original research and subsequent analysis — is that collaboration platform providers must evolve their architectures. Specific improvements include:
- Bind TURN credentials to a meeting ID and device fingerprint so they cannot be reused outside the originating call or from a different host.
- Implement relay-side heuristics that distinguish media payloads from generic TCP/UDP tunneling. While encryption limits deep content inspection, traffic patterns (burstiness, packet sizes, inter-arrival jitter) differ measurably between video conferencing and C2 beaconing.
- Expose enterprise policy controls that allow per-tenant restriction of TURN usage to managed devices or designated relay regions, making anomalous traffic easier to baseline.
“This is a classic case of a feature being bigger than its intended use,” the windowsnews.ai community concluded. “The fix isn’t to break TURN — that would kill meetings for miles — but to add guardrails that make abuse too risky for the attacker.”
The Road Ahead for Windows Enterprises
Ghost Calls isn’t theoretical. Praetorian’s TURNt tool and the Black Hat demonstration confirm that any adversary with a toehold on a Windows endpoint can convert the corporate conferencing backbone into a stealthy control channel. The technique will likely be adopted by advanced persistent threat actors and ransomware groups alike, because it solves a long-standing problem: how to keep C2 alive in locked-down networks without custom infrastructure.
For defenders, the response must be layered: network segmentation that doesn’t blindly trust collaboration IPs, endpoint controls that prevent unauthorized processes from inheriting TURN sessions, and telemetry fusion that connects meeting records to wire data. Meeting recordings are now a security dataset, not just a productivity tool. Every unexplained flow should trigger a search for the ghost call that isn’t on the calendar.