Cybersecurity researchers have uncovered a new tactic being used by a ransomware group to hide malicious communications by abusing Microsoft Teams relay infrastructure. The technique allows attackers to disguise their command-and-control traffic as legitimate Microsoft Teams activity. By blending in with trusted network traffic, the criminals make it much harder for security tools and defenders to identify suspicious activity. The discovery highlights how threat actors are increasingly using trusted platforms to avoid detection.

The campaign has been linked to the DragonForce ransomware operation, which researchers found using Microsoft Teams relay servers as part of its attack chain. Instead of relying on traditional command-and-control infrastructure, the attackers routed malicious communications through systems associated with a widely trusted business collaboration platform. This approach helps ransomware operators maintain access to compromised environments while reducing the chances of their traffic being blocked.

According to researchers, the attackers remained hidden inside a targeted organization’s network for an extended period by leveraging this technique. Their communications blended with normal Microsoft Teams traffic, allowing them to move across the network without immediately raising alarms. Since many organizations allow Teams-related traffic by default, the activity appeared legitimate and avoided closer inspection. This gave the attackers valuable time to expand their presence.

The abuse of relay infrastructure is particularly concerning because it takes advantage of services that businesses trust and use every day. Security products often prioritize business continuity and may treat traffic from major cloud services differently than unknown external connections. Cybercriminals are increasingly aware of this trust and are finding ways to exploit it. As a result, defenders face additional challenges when trying to separate normal activity from malicious behavior.

Researchers explained that the technique effectively hides command-and-control communications inside legitimate network flows. Command-and-control channels are used by attackers to send instructions to compromised devices and receive stolen data. By routing these communications through trusted infrastructure, ransomware operators can make their activities appear normal. This significantly reduces the visibility that security teams typically rely on for detection.

The findings also reflect a broader trend in modern cybercrime, where attackers increasingly abuse legitimate cloud services and collaboration platforms. Instead of creating their own infrastructure, threat actors leverage trusted services that organizations already depend on. This strategy helps them evade security controls while making investigations more complex. It also reduces the operational costs required to maintain malicious infrastructure.

Security experts are urging organizations to improve monitoring of cloud-based communications and collaboration tools. While trusted platforms remain essential for business operations, they should not automatically be considered risk-free. Companies are encouraged to inspect network activity more closely and establish stronger visibility into how cloud services are being used within their environments. Enhanced monitoring can help identify suspicious patterns that might otherwise go unnoticed.

The discovery serves as an important reminder that cybercriminals continuously adapt their methods to bypass security defenses. By abusing Microsoft Teams relay infrastructure, the ransomware group demonstrated how trusted services can be turned into tools for concealment. Organizations must remain vigilant and update their detection strategies to account for these evolving threats. As attackers continue to innovate, defenders will need to strengthen monitoring and response capabilities to keep pace.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news