Microsoft Teams, one of the most widely used communication and collaboration platforms in the corporate world, has become the center of a growing cybersecurity controversy. Recent findings by security researchers suggest that cybercriminals are exploiting the platform’s infrastructure to conceal malicious activities, raising concerns about how trusted business applications can be misused by threat actors.
According to cybersecurity researchers from Symantec and Carbon Black, the notorious DragonForce ransomware group has been observed using a sophisticated malware technique that leverages Microsoft Teams as part of its command-and-control (C2) communications. Command-and-control channels are essential for cybercriminals because they allow malware deployed on infected systems to receive instructions, transfer stolen data, and communicate with attackers remotely.
What makes this latest development particularly concerning is the group’s use of Microsoft Teams Relay services to hide its communications. By routing malicious traffic through a legitimate and widely trusted enterprise platform, attackers can make their activities appear as normal business-related network traffic. This significantly reduces the chances of detection by conventional security monitoring tools, which often trust communications associated with popular cloud-based services.
The DragonForce ransomware operation has gained attention in recent years for targeting organizations across various sectors. Like many modern ransomware groups, it employs advanced techniques to infiltrate networks, encrypt critical data, and demand ransom payments in exchange for restoring access. However, the group’s latest tactic demonstrates how cybercriminals continue to evolve their methods by abusing legitimate technology services rather than relying solely on dedicated malicious infrastructure.
Researchers explained that the malware’s use of Microsoft Teams Relay enables attackers to maintain anonymous communication channels while blending in with normal corporate traffic. Since Microsoft Teams is extensively used by businesses worldwide for messaging, video conferencing, and file sharing, blocking or restricting its traffic is often impractical for organizations. This creates an attractive opportunity for threat actors seeking to bypass security controls.
The discovery also highlights a broader trend in cybersecurity known as “living off trusted services,” where attackers exploit reputable cloud platforms and enterprise applications to conduct malicious operations. Similar tactics have previously been observed with services such as cloud storage providers, collaboration tools, and social media platforms. By hiding behind trusted brands and legitimate infrastructure, cybercriminals can increase the effectiveness of their attacks while reducing the likelihood of immediate detection.
While there is currently no indication that Microsoft Teams itself has been compromised, the incident demonstrates how legitimate software ecosystems can be abused by threat actors. Security experts are urging organizations to strengthen monitoring of cloud-based applications, implement advanced threat detection solutions, and educate employees about emerging cyber risks.
The findings from Symantec and Carbon Black serve as a reminder that cybersecurity threats continue to evolve alongside technology. As businesses increasingly rely on cloud-based collaboration platforms such as Microsoft Teams, security teams must remain vigilant against innovative attack methods that exploit the trust placed in widely used digital services.
Join our LinkedIn group Information Security Community!
