What Happened
Symantec researchers disclosed that the DragonForce ransomware group deployed a custom Go-based backdoor named Backdoor.Turn in an attack against a major US services company. The backdoor abuses the Traversal Using Relays around NAT (TURN) protocol built into Microsoft Teams, which the platform uses to relay messages when direct peer connections are unavailable.
To establish communications, Backdoor.Turn obtains an anonymous Teams visitor token from Microsoft’s Skype-backed identity services, registers with a legitimate Microsoft TURN relay, and then runs a QUIC session to the attacker’s actual command-and-control server through that relay. From a network monitoring perspective, all outbound connections resolve to legitimate Microsoft infrastructure, not attacker-controlled IPs.
The backdoor supports a full post-exploitation toolkit: command execution, network scanning, Active Directory enumeration, credential harvesting, and lateral movement. DragonForce, active since at least 2023 and linked to the Scattered Spider group, adopted a cartel-style structure in 2024 and has significantly expanded its operations since.
Source: BleepingComputer / Help Net Security
Why This Matters for Canadian Organizations
Microsoft Teams is one of the most widely deployed collaboration platforms in Canadian enterprises, federal departments, provincial governments, and regulated sectors including financial services and healthcare. Because Backdoor.Turn routes all attacker traffic through authentic Microsoft relay addresses, conventional network security tools — firewall logs, proxy inspection, DNS monitoring — will log the activity as normal Teams traffic. This defeats the most common detection layer organizations rely on for command-and-control identification.
Under OSFI Guideline B-13, federally regulated financial institutions must maintain network visibility and detect anomalous internal activity. Under Canada’s PIPEDA and its provincial equivalents, a ransomware attack leading to data exfiltration triggers breach notification obligations. The use of trusted infrastructure as an evasion layer extends the attacker’s dwell time, increasing the volume of data at risk before detection occurs. Canadian security teams with DragonForce indicators from earlier campaigns — including the Trican Well Service attack in June 2026 — should treat this new technique as a significant escalation in operational security sophistication.
What to Do
Network monitoring teams should augment IP-based detection with behavioral analytics: look for unusual Teams token acquisition patterns, anomalous QUIC session volumes to Microsoft relay addresses, and off-hours Teams relay activity from endpoints not registered to active user sessions. Endpoint detection remains the most reliable layer here — Backdoor.Turn artifacts on disk and in memory are detectable by behavioural EDR rules even when network traffic is masked. Organizations using Symantec Endpoint Security should check for Backdoor.Turn signatures released alongside this disclosure. Incident response teams should also review whether the Active Directory enumeration and credential harvesting capabilities indicate DragonForce reconnaissance has already occurred in environments running Microsoft Teams at scale.
