The threat landscape has evolved once again with the confirmation that the DragonForce ransomware operation is actively abusing Microsoft Teams infrastructure for Command-and-Control (C2). Security researchers have identified a new Go-based unauthorized access mechanism designed to route malicious traffic through trusted Microsoft Teams relay servers.
For defenders, this represents a critical evasion shift. By leveraging a universally trusted SaaS platform, attackers bypass traditional network perimeter controls, SSL inspection, and IP-based blocking mechanisms. The traffic appears legitimate to firewalls and proxies, allowing the Go-based tool to maintain persistence and exfiltrate data or deploy ransomware payloads undetected. Immediate action is required to identify this anomalous usage of trusted channels within your environment.
Technical Analysis
Affected Platform: Microsoft Windows systems running the Microsoft Teams desktop client.
Threat Actor: DragonForce (Ransomware-as-a-Service).
Attack Mechanism: The attackers have developed a custom tool written in the Go programming language (Golang). This tool does not act as a standard malware beaconing to a hardcoded attacker-controlled IP address. Instead, it utilizes the Microsoft Teams infrastructure as a network relay.
- Initial Access: The exact vector (often phishing or valid credentials) grants the attacker a foothold.
- Deployment: The Go-based binary is deployed on the victim endpoint.
- C2 Relay: The binary initiates network connections to legitimate Microsoft Teams servers (
*.teams.microsoft.comor related endpoints). It likely abuses the web API or WebSocket protocols to retrieve commands from the attacker, who is effectively "hiding" behind the Microsoft cloud infrastructure. - Evasion: Because the destination is a trusted Microsoft domain, network security devices (NGFWs, DLP) often whitelist the traffic, allowing the C2 channel to blend in with normal business operations.
Exploitation Status: Confirmed active exploitation in the wild. No CVE is associated with this specific abuse, as it leverages trusted functionality rather than a software vulnerability in the traditional sense.
Detection & Response
To catch this threat, we must hunt for anomalies in process lineage and network behavior. Specifically, we are looking for non-standard processes communicating with Teams domains or the Teams client spawning unauthorized shells.
Sigma Rules
---
title: Potential C2 via Microsoft Teams by Non-Standard Process
id: 89d4c1e2-a5f3-4b2d-8c1e-1a2b3c4d5e6f
status: experimental
description: Detects potential malicious use of Microsoft Teams infrastructure for C2 by identifying non-Microsoft processes connecting to Teams endpoints. This tracks the behavior of the Go-based tool described in recent reports.
references:
- https://www.securityweek.com/microsoft-teams-relay-servers-abused-in-dragonforce-ransomware-attack/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|contains:
- 'teams.microsoft.com'
- 'router.teams.microsoft.com'
InitiatingProcessFileName|notcontains:
- 'Teams.exe'
- 'msteams.exe'
- 'Microsoft.Teams.exe'
- 'ms-teams.exe'
condition: selection
falsepositives:
- Third-party plugins legitimately integrating with Teams APIs (rare)
- Custom internal scripts utilizing Teams webhooks
level: high
---
title: Suspicious Process Spawning from Microsoft Teams
description: Detects Microsoft Teams spawning suspicious child processes like PowerShell or CMD. This may indicate exploitation of the client or usage of Teams to launch the Go-based tool.
id: 2f3a4b5c-6d7e-8f9a-0b1c-2d3e4f5a6b7c
status: experimental
references:
- https://attack.mitre.org/techniques/T1059/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.execution
- attack.t1059.003
logsource:
category: process_creation
product: windows
detection:
selection_parent:
ParentImage|contains:
- 'Teams.exe'
- 'msteams.exe'
- 'Microsoft.Teams.exe'
selection_child:
Image|endswith:
- '\powershell.exe'
- '\cmd.exe'
- '\wscript.exe'
- '\cscript.exe'
- '\regsvr32.exe'
condition: all of selection_*
falsepositives:
- Legitimate administration by IT staff using Teams-integrated tools
level: medium
KQL (Microsoft Sentinel / Defender)
// Hunt for processes connecting to Teams endpoints that are not the Teams client itself
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "teams.microsoft.com"
| where InitiatingProcessFileName !in ("Teams.exe", "msteams.exe", "Microsoft.Teams.exe", "ms-teams.exe")
| project Timestamp, DeviceName, InitiatingProcessAccountId, InitiatingProcessFileName, InitiatingProcessCommandLine, RemoteUrl, RemotePort
// Optional: Filter for known suspicious extensions or unsigned binaries
| summarize count() by DeviceName, InitiatingProcessFileName
Velociraptor VQL
-- Hunt for unusual processes connecting to Teams domains
-- Analyzing network connections and process signatures
SELECT
Timestamp,
Pid,
Name AS ProcessName,
CommandLine,
Exe,
Username,
Endpoints.Address AS RemoteAddress
FROM chain(
pslist(),
foreach(row={
SELECT Pid
FROM netstat(pid=Pid)
WHERE RemoteAddress =~ '.*teams.microsoft.com.*'
})
)
WHERE Name !in ('Teams.exe', 'msteams.exe', 'Microsoft.Teams.exe')
Remediation Script (PowerShell)
# Script to Audit for Suspicious Teams Related Processes
# Requires Administrative Privileges
Write-Host "[+] Starting Audit for Microsoft Teams C2 Abuse..." -ForegroundColor Cyan
# Get processes connecting to Teams domains (requires netstat parsing as process-level network inspection is complex in pure PS)
# Here we focus on the process tree anomaly: Teams spawning shells
$suspiciousParents = @('Teams.exe', 'msteams.exe', 'Microsoft.Teams.exe')
$suspiciousChildren = @('powershell.exe', 'cmd.exe', 'wscript.exe', 'cscript.exe', 'regsvr32.exe')
$processes = Get-WmiObject Win32_Process | Select-Object Name, ProcessId, ParentProcessId, CommandLine
foreach ($proc in $processes) {
if ($suspiciousChildren -contains $proc.Name) {
$parent = $processes | Where-Object { $_.ProcessId -eq $proc.ParentProcessId }
if ($parent -and $suspiciousParents -contains $parent.Name) {
Write-Host "[!] ALERT: Suspicious child process detected!" -ForegroundColor Red
Write-Host " Parent: $($parent.Name) (PID: $($parent.ProcessId))" -ForegroundColor Yellow
Write-Host " Child : $($proc.Name) (PID: $($proc.ProcessId))" -ForegroundColor Yellow
Write-Host " Command Line: $($proc.CommandLine)" -ForegroundColor Yellow
}
}
}
Write-Host "[+] Audit Complete." -ForegroundColor Cyan
Write-Host "[!] If alerts were found, investigate the specific PID and consider isolating the endpoint." -ForegroundColor Yellow
Remediation
Since this attack technique abuses trusted functionality rather than a specific software vulnerability (CVE), remediation relies on behavioral controls and configuration hardening.
- Isolate Compromised Hosts: If the detection rules above identify a specific machine engaging in this behavior, immediately isolate it from the network.
- Terminate Unauthorized Processes: Kill any non-standard Go-based binaries communicating with Teams infrastructure.
- Network Segmentation (Conditional Access):
- Implement Strict Conditional Access policies in Entra ID (formerly Azure AD) to limit Teams access to managed and compliant devices only.
- Restrict Teams usage to known managed locations if business operations permit.
- Application Control:
- Enforce AppLocker or Windows Defender Application Control (WDAC) policies to prevent unsigned binaries (like the custom Go tool described) from executing in user directories.
- User Education: Alert users to the risk of social engineering. Attackers often gain the initial access required to deploy these tools via phishing.
- Investigate Logs: Review Microsoft 365 audit logs for unusual sign-ins or API usage associated with the affected user accounts.
Related Resources
Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.