Attackers Hide Malware Communications Inside Microsoft Teams to Evade Detection

Criminal Group Found Sneaking Malware Commands Through Microsoft Teams

A dangerous hacking group called DragonForce has discovered a clever way to hide their malicious activities. Instead of using obvious internet channels that security teams monitor, they've been routing their control signals through Microsoft Teams—the popular workplace communication platform used by millions of employees worldwide. This allows them to issue commands to infected computers while staying invisible to traditional security defenses.

Think of it like this: normally, when hackers take over a computer, they send instructions through suspicious back-channel websites that security software is trained to recognize. But by piggybacking on Teams, a platform that companies specifically trust and allow through their firewalls, the attackers blend in with normal business traffic.

Understanding the Attack Method

The technical process works by exploiting Microsoft Teams' relay infrastructure—essentially the network pathways that Teams uses to connect users across the world. When you send a message to a colleague in another office, Teams relays that message through their servers. DragonForce has weaponized this same system to send secret instructions to compromised machines.

Once a computer gets infected with their backdoor (a hidden entry point), the malware "phones home" by disguising its communications as normal Teams traffic. To a security monitor, it appears as if employees are simply using the application normally. The attacker maintains complete control without raising red flags.

Why This Matters to Your Organization

This discovery reveals a fundamental weakness in how we approach security. We tend to trust major platforms like Microsoft Teams because they're legitimate, widely-used business tools. But that trust can become a liability when criminals exploit it.

• Your defenses may be bypassing the problem: Security systems often whitelist Teams traffic, assuming it's safe. This attack proves that assumption is dangerous.
• Detection becomes harder: Malware hidden in trusted channels is exponentially more difficult to spot than obvious malicious traffic.
• Any organization using Teams is potentially at risk: If your company uses this platform, you have the same vulnerability that DragonForce is targeting.

What You Should Do Right Now

For IT Administrators: Review your security tools to ensure they're not blindly trusting Teams traffic. Even though Teams is legitimate, monitoring the content and patterns of communication flowing through it is essential. Additionally, ensure your network monitoring includes analysis of trusted applications—criminals are betting you won't look there.

For All Users: Be cautious about which programs you run and which attachments you open. The initial infection typically requires the malware to land on your computer first. If you notice Teams behaving oddly or using unusual amounts of bandwidth when you're not actively chatting, report it immediately.

For Everyone: Understand that no single application is inherently safe. Even tools your company trusts and permits through security systems can be exploited. Stay alert and maintain healthy skepticism about unexpected behavior from any program on your devices.

As organizations continue relying on cloud-based platforms, attackers will keep finding creative ways to abuse them—which means your security strategy must evolve faster than the threats.