Home Cybersecurity DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor Traffic
Cybersecurity

DragonForce Hackers Abuse Microsoft Teams Relays to Hide Backdoor Traffic

Sara Ahmad June 22, 2026 2 min read
Illustration Of Dragonforce Hackers Exploiting Microsoft Teams Relays To Hide Their Malicious Activities

Cybersecurity researchers have uncovered a concerning new tactic employed by the notorious DragonForce hacking group. The group has been found abusing Microsoft Teams’ built-in relay functionality to conceal their malicious backdoor traffic, making it harder for security teams to detect and mitigate their attacks.

DragonForce Exploits Microsoft Teams Relays

According to a report from NetworkUstad’s cybersecurity division, DragonForce hackers have been using the legitimate communication channels within Microsoft Teams to mask their command-and-control (C2) traffic. By routing their malware’s network communications through the Teams relay infrastructure, the attackers are able to blend in with normal collaboration and file-sharing activity, evading traditional security monitoring and detection methods.

Hiding Backdoors in Plain Sight

The researchers explained that DragonForce’s tactics involve infecting target systems with a custom backdoor that is capable of establishing an outbound connection to the hackers’ own C2 servers. However, instead of directly communicating with these servers, the malware is programmed to relay the traffic through the Microsoft Teams network, making it appear as legitimate collaboration data.

Impact on Enterprise Security

This abuse of Microsoft Teams’ built-in functionality poses a significant challenge for enterprise security teams. Many organizations have come to rely on Teams as a core productivity and communication tool, and securing these collaboration platforms has become a top priority. By hijacking the trust placed in Teams, DragonForce is able to bypass security controls and maintain persistent access to infected systems.

Recommendations for Defenders

Cybersecurity experts advise organizations to closely monitor and audit their Microsoft Teams deployments, looking for any suspicious traffic patterns or anomalous behavior that could indicate the presence of DragonForce’s backdoor. they recommend using reliable endpoint protection, network segmentation, and user awareness training to mitigate the risks posed by this new attack vector.

Ongoing Investigations and Mitigation Efforts

NetworkUstad has reached out to Microsoft for comment on the issue, and the company has confirmed that it is actively investigating the matter and working on potential solutions to address the abuse of Teams’ relay functionality. Meanwhile, cybersecurity firms and law enforcement agencies are collaborating to track down and disrupt the DragonForce hacking group’s operations.

Frequently Asked Questions

How do DragonForce hackers abuse Microsoft Teams relays?

DragonForce hackers abuse Microsoft Teams relays to hide their backdoor traffic and evade detection. They leverage the Teams relay functionality to mask the origin and destination of their malicious network communications, making it harder for security teams to identify and block the threat.

What is the DragonForce hacking group?

The DragonForce hacking group is a sophisticated threat actor known for targeting organizations with advanced persistent threat (APT) attacks. They employ various techniques, including the abuse of Microsoft Teams relays, to infiltrate networks and maintain persistent access for data exfiltration and further malicious activities.

Why do DragonForce hackers target Microsoft Teams relays?

DragonForce hackers target Microsoft Teams relays because the relay functionality can be abused to hide their backdoor traffic and evade detection. By routing their malicious communications through the legitimate Teams infrastructure, they can make it challenging for security teams to identify and block the threat actor's activities.

Which tools or techniques do DragonForce hackers use to abuse Microsoft Teams relays?

DragonForce hackers leverage a combination of tools and techniques to abuse Microsoft Teams relays, including custom malware, network traffic manipulation, and exploitation of vulnerabilities in the Teams platform. These tactics allow them to establish a covert communication channel and maintain persistent access to the compromised systems.
Avatar Of Sara Ahmad
Sara Ahmad

Author

Sara Ahmed is a cybersecurity analyst and daily news writer at NetworkUstad, specializing in network security, ethical hacking, firewall management, and emerging cyber threats. She tracks and reports on cybersecurity incidents, vulnerability disclosures, ransomware developments, and security tool releases every day — helping organizations stay protected with timely, accurate coverage. Sara holds expertise in penetration testing, zero-trust architecture, and cloud security.

All Posts
📬

Enjoyed this article?

Subscribe to get more networking & cybersecurity content delivered daily — curated by AI, written for IT professionals.

🔒 No spam. Unsubscribe anytime.

✓ Free ✓ Daily updates

Related Articles

Cybersecurity Not Just Tech - Why Cybersecurity Is Not Just A Tech Issue Anymore
Cybersecurity

Why Cybersecurity Is Not Just a Tech Issue Anymore

Cybersecurity used to be an IT problem, but a cyber incident can now impact your business in legal, financial, and reputational ways. Small cracks can lead to big consequences.

Imran Khan 7 min read
Online Shoppers Cybersecurity - Cybersecurity And Online Shoppers: How To Buy Safely In A Digital World
Cybersecurity

Cybersecurity and Online Shoppers: How to Buy Safely in a Digital World

Online shopping has become a daily habit, but it also comes with hidden risks. This article explains why online shoppers are targeted, the psychology behind shopping scams, and practical steps to shop safely in the digital world.

Sara Ahmad 6 min read
Bitlocker Encrypted Hard Drive - Bitlocker Encrypted Hard Drive: What Network Professionals Need To Know In 2026
Cybersecurity

BitLocker Encrypted Hard Drive: What Network Professionals Need to Know in 2026

Why BitLocker fails on enterprise networks and how to fix it with SD-WAN policies and IPsec tuning.

Mujtaba Shams 2 min read
Subscribe
Subscribe