Microsoft Teams Servers Abused in DragonForce Ransomware Attack – Veri Sızıntısı
Live
Search
Company
About Founder's Note Press & Media Privacy Policy Terms of Service FAQ Brand Kit
Products
HUBOne HUBCorp Coming Soon Veri Sızıntısı Android Coming Soon Veri Sızıntısı iOS Coming Soon Veri Sızıntısı Huawei Coming Soon Breach Radar Argus Flow Argus Engine LivePlatform
Technologies
What is Argus AI? Try on HUBOne What is Argus Flow? What is Argus Engine?
Blog Contact

Microsoft Teams Servers Abused in Ransomware Attack

The DragonForce ransomware gang has drawn attention by using Microsoft's trusted Teams infrastructure as a command-and-control server to evade cybersecurity defenses.

A dragon figure appearing behind the Microsoft Teams logo, symbolizing a cyberattack.

What Happened

The cybersecurity world is once again abuzz with news that demonstrates just how creative and audacious attackers can be. The ransomware group known as DragonForce has employed an unconventional method in its latest attacks, abusing Microsoft Teams' server infrastructure. This development shows that cybercriminals are no longer just infiltrating systems but are also turning the digital communication tools we trust most into weapons. The incident came to public attention on June 17, 2026, through reports from cybersecurity firms.

Essentially, what happened is this: the attackers used the infrastructure that millions of people normally use for video conferencing and messaging as a cover to hide and relay their commands within a compromised network. This is a nightmare scenario for security software. Under normal circumstances, a firewall or antivirus program would label traffic going to Microsoft's own servers as "safe" and "legitimate." The attackers are exploiting this very trust. In cybersecurity terms, this method is called "Living Off the Land" (LOTL). Criminals use legitimate tools and services already present on the target system to conceal themselves. This allows them to leave fewer traces and makes them much harder to detect.

What Data Was Compromised

As of now, there has been no clear information shared about what specific data was stolen or encrypted in this attack. The identity of the targeted organization is also being kept confidential for the time being. However, looking at the general modus operandi of ransomware groups like DragonForce, we know that the target is usually valuable information. In such attacks, criminals first encrypt critical files to halt the company's operations. Then, to increase the pressure to pay the ransom, they threaten to publish the sensitive data they stole before encryption. This data often includes:

Has your email been leaked? Check for free — results in seconds.

Check Now →
  • Customer information (names, addresses, contact details)
  • Employees' personal data
  • Financial reports, balance sheets, and bank account details
  • Intellectual property, trade secrets, and product designs
  • Strategic documents such as board meeting minutes

The fate of the data usually depends on whether the victim company pays the ransom and the mercy of the attackers. Often, even if the ransom is paid, there is no guarantee that the data will be returned or not leaked.

How Did the Attack Happen

The technical details of the attack are not yet fully understood, especially how the attackers initially breached the network, which remains unclear. However, the most striking part is what they did after infiltration. According to reports, DragonForce used Microsoft Teams' relay servers as a Command and Control (C2 or C&C) center.

So, what does this mean? Malware that infiltrates a network needs to communicate with the attacker outside. Through this communication channel, the attacker sends commands to the malware, such as "encrypt these files," "exfiltrate this data," or "spread to other machines on the network." The servers that facilitate this communication are called Command and Control servers. Normally, cybersecurity systems quickly detect and block traffic to known malicious C2 servers.

But what DragonForce did is both ingenious and alarming. Instead of setting up their own C2 servers, they routed their traffic through Microsoft Teams' legitimate servers. When security systems inspected the outgoing traffic, they likely saw a trusted destination like "teams.microsoft.com" and didn't raise an alarm. This allowed the attackers to send commands and steal data as they pleased through an encrypted and legitimate-looking tunnel. This tactic painfully demonstrates how easily traditional network security controls can be bypassed.

Who Was Affected

Currently, the identity of the organization affected by the attack has not been disclosed to the public. However, such advanced attack techniques can be used either against a specific target or opportunistically against any organization seen as a weak link. For financially motivated groups like DragonForce, there is little distinction between sectors. Any organization that holds valuable data and would suffer significant losses if its operations were halted is a potential target, whether in finance, healthcare, education, manufacturing, or the public sector.

The most important takeaway from this incident is that any company using widely adopted platforms like Microsoft Teams is potentially at risk. Attackers are no longer just targeting your infrastructure but are also infiltrating the infrastructure of trusted third-party services to get to you. Therefore, regardless of your industry, it is wisest to assume you could be a victim of similar attacks. Following the latest Data Breach News reveals a growing trend in such supply-chain or trusted third-party exploits.

What Can You Do

Protecting against such sophisticated attacks requires much more than just installing antivirus software. Here are some crucial measures that organizations and individuals can take:

  • Deep Packet Inspection and Traffic Analysis: Instead of simply allowing traffic based on its destination, analyze the nature of the traffic. Is the traffic to Microsoft servers normal? Is a user's machine sending gigabytes of data to Teams servers in the middle of the night? Using advanced network monitoring tools that can detect such anomalies is critical.
  • Adopt a Zero Trust Model: The old mantra of "trust everything inside, be suspicious of everything outside" is no longer valid. The Zero Trust model requires that every access request, whether from inside or outside the network, be authenticated and authorized. No user or device is trusted by default.
  • Endpoint Detection and Response (EDR/XDR) Solutions: Even if attackers bypass the network, the place where they execute their actions is the employees' computers (endpoints). EDR and XDR solutions can detect suspicious behaviors on these devices (e.g., a Word document suddenly trying to access other files on the network) and stop the attack before it begins.
  • Proactive Threat Hunting: Don't wait for the alarms to go off. Your security teams should be actively searching for signs of attackers in your network and systems. This means manually investigating anomalies like unusual network connections, suspicious processes, or unexpected configuration changes.
  • Have an Incident Response Plan: Despite the best defenses, an attack can still happen. Make sure you have a clear plan that outlines what to do, who to contact, how to isolate systems, and how to continue operations in such an event.

What Is the Company Saying

As of the time of writing on June 17, 2026, Microsoft has not made an official comment or statement regarding the abuse of its Teams infrastructure in this specific attack. Typically, in such situations, Microsoft engages its own security teams to investigate the matter and prevent similar incidents in the future. There has also been no press release from the unnamed company that was attacked. More detailed information from both parties is expected in the coming days.

Source

https://www.securityweek.com/microsoft-teams-relay-servers-abused-in-dragonforce-ransomware-attack/

Share This Article
X LinkedIn WhatsApp
← Previous Post Kodak Confirms Data Breach Attributed to ShinyHunters

Weekly Newsletter

Curated data breach news delivered to your inbox every week.