Hackers Hide Malware Inside Microsoft Teams to Avoid Detection
DragonForce ransomware disguises its attack signals as normal Teams messages, fooling security systems at a major U.S. company.
Source
GetCyberRight Intelligence
Original headline: Teams Tunneling Myth
Plain-English summary by GetCyberRight. Read the full report at the source above.
What Just Happened
Cybercriminals from the DragonForce ransomware group created a backdoor that hides inside Microsoft Teams traffic. Security researchers at Symantec discovered this attack at a large U.S. services company. The hackers made their malicious communications look exactly like regular work messages, allowing them to control infected computers without triggering alarms.
The Details
Think of Microsoft Teams as a busy highway where millions of work conversations happen every day. Security systems have learned to trust this traffic because it's supposed to be employees chatting, sharing files, and holding video calls. DragonForce exploited this trust brilliantly.
The attackers built custom malware that sends its command signals through Teams relay servers. These are Microsoft's own infrastructure, designed to help Teams calls connect smoothly. When the backdoor "phones home" to receive instructions from hackers, it looks identical to a normal Teams session. Security tools see legitimate Microsoft traffic and wave it through.
This technique is called tunneling. The malware wraps its dangerous communications inside trusted app traffic. It's like hiding stolen goods inside an ambulance. Nobody stops an ambulance to check what's inside because we trust its purpose. The DragonForce attack succeeded because defenders trusted Teams traffic completely.
Who Is Affected
This matters most to working professionals whose companies use Microsoft Teams. If your workplace relies on Teams for daily communication, your employer's security team needs to know about this threat. The attack targeted an enterprise environment, not home users.
IT and security professionals should pay especially close attention. This represents a shift in how ransomware groups operate. They're moving beyond simple phishing emails to sophisticated infrastructure abuse. Any organization using Teams, which includes millions of businesses worldwide, faces this potential blind spot in their defenses.
What You Should Do Right Now
Alert your workplace IT or security team about this threat if you work somewhere using Microsoft Teams. Forward this article or mention DragonForce by name so they can research defenses.
Stay one step ahead of scammers
Weekly cybersecurity briefings for families. No spam, just the threats that matter and what to do about them.
Watch for unusual Teams behavior like the app running when you haven't opened it, unexpected data usage, or Teams launching at startup when it didn't before. Report anything strange to IT immediately.
Keep Teams updated to the latest version on all your work devices. Microsoft regularly patches security issues, and updates help close exploitation opportunities.
Review what programs have permission to integrate with your Teams account. Go to Settings in Teams and check connected apps. Remove anything unfamiliar or unused.
Use multi-factor authentication (MFA) for your Microsoft 365 account if your employer offers it. This won't stop the tunneling technique, but it prevents initial account compromise that could lead to malware installation.
The Bigger Picture
Cybercriminals are getting smarter about blending into normal internet traffic. They're weaponizing the tools we trust most: Zoom, Slack, and now Teams. This trend means traditional security approaches that simply trust popular business apps no longer work. Staying informed about these evolving tactics helps you spot warning signs early and push for better protections at work and home.
How GetCyberRight Can Help
Our Cyber Threat Radar tool tracks exactly these kinds of emerging enterprise threats. It monitors when ransomware groups start weaponizing trusted business tools like Microsoft Teams. You'll get early warnings about techniques moving from underground forums to active attacks, giving you time to prepare and protect your workplace before criminals strike your organization.
Curated from trusted cybersecurity sources by GetCyberRight
Source: GetCyberRight IntelligenceStay ahead of cyber threats
Get our free weekly digest. Real threats, plain language, what to do about them. No spam, ever.
More articles
Ransomware Isn't Just a Business Problem. It's a Family Problem.
Recent attacks on schools, healthcare providers, and vendors put your family's data at risk, even when the target isn't your employer.
3 min read
Stop Changing Passwords Every 90 Days: What Actually Keeps You Safe
Constantly changing passwords is outdated advice that can make you less secure. Password reuse, not password age, puts your accounts at risk.
4 min readYou're Not Being Watched. You've Already Been Robbed.
Most signs of account monitoring don't mean someone's spying on you right now. They mean you were compromised weeks ago and the attacker already took what they wanted.
3 min readMicrosoft 365 Doesn't Backup Your Business Data Like You Think It Does
Many small businesses believe Microsoft 365 automatically protects their data. The reality could cost you everything when disaster strikes.
4 min read