In the relentless cat-and-mouse game of cybersecurity, threat actors constantly seek new avenues to bypass defenses. A critical shift is emerging: the weaponization of trusted cloud infrastructure to conceal malicious activities. A recently uncovered campaign exemplifies this troubling trend, demonstrating how adversaries are leveraging legitimate Microsoft Teams relay servers to mask their command-and-control (C2) communications, effectively hiding ransomware traffic in plain sight.

The Evolving Threat Landscape: Abusing Trusted Services

Modern enterprise environments are heavily reliant on cloud services for collaboration, communication, and data storage. While these platforms offer immense benefits, their pervasive nature also presents a lucrative target for attackers. By abusing the very services designed for productivity, cybercriminals can blend their malicious traffic with legitimate network activity, making detection significantly more challenging for conventional security tools.

According to the Symantec Threat Hunter Team, this advanced technique highlights a growing sophistication among ransomware operators. Their ability to weaponize components of a widely used corporate communication platform like Microsoft Teams represents a significant challenge for network defenders struggling to differentiate benign traffic from a covert attack.

Backdoor.TURN: A New Go-Based RAT Leveraging Teams Relays

At the center of this new campaign is a novel Go-based remote access Trojan (RAT) identified as Backdoor.TURN. This sophisticated malware is designed specifically to utilize Microsoft Teams TURN (Traversal Using Relays around NAT) relay servers for its command-and-control infrastructure. TURN servers are legitimate components of WebRTC communication, enabling direct media flow between users even when behind firewalls or NAT devices. They act as intermediaries, relaying encrypted UDP traffic.

The ingenuity of this approach lies in the fact that traffic routed through Microsoft Teams TURN relays appears as legitimate Teams communication. This effectively grants the attackers a cloaked channel to control infected systems, exfiltrate data, and ultimately deploy ransomware payloads without immediately raising suspicions from network monitoring tools that might flag unusual external connections.

How Microsoft Teams TURN Relays are Abused

The abuse chain typically involves the following steps:

• Initial Compromise: Attackers first gain access to a target system through various vectors, such as phishing campaigns, exploiting vulnerabilities, or compromised credentials.
• Deployment of Backdoor.TURN: Once a foothold is established, the Backdoor.TURN RAT is deployed on the compromised machine.
• Establishing C2 via TURN: Backdoor.TURN then initiates connections to Microsoft Teams TURN relay servers. Instead of engaging in legitimate video or audio calls, the RAT leverages these servers to establish encrypted C2 channels back to the attacker’s infrastructure.
• Hiding Ransomware Prep: Over this covert channel, attackers can issue commands, download additional tools, move laterally within the network, and prepare for the final ransomware deployment. The traffic associated with these preparatory actions is indistinguishable from standard Microsoft Teams communications, making traditional perimeter defenses ineffective.

This method significantly complicates threat hunting efforts, as security analysts must now look for subtle anomalies within what appears to be legitimate, high-volume collaborative traffic.

Remediation Actions and Mitigations

tangoing with this advanced threat requires a multi-layered defense strategy. Organizations must move beyond perimeter-centric security to implement robust internal monitoring and endpoint detection capabilities.

• Enhanced Endpoint Detection and Response (EDR): Invest in and fully leverage EDR solutions to detect anomalous process behavior, file modifications, and network connections at the endpoint level, even if the traffic is masked. EDR can identify the execution of Backdoor.TURN itself, regardless of its C2 method.
• Network Traffic Analysis (NTA) with Behavioral Analytics: Implement NTA tools that can perform deep packet inspection and apply behavioral analytics to identify unusual patterns in Microsoft Teams traffic. While the protocol may be legitimate, abnormal data volumes, connections to unusual Teams tenants, or non-standard payload sizes can indicate compromise.
• Zero Trust Architecture: Adopt a Zero Trust security model, enforcing strict verification for every user, device, and application attempting to access resources, regardless of their location on the network. This minimizes the impact of a compromised endpoint.
• Regular Security Awareness Training: Educate users about phishing, social engineering, and the risks associated with suspicious links and attachments, as initial compromise often relies on human error.
• Patch Management: Maintain a rigorous patch management program to address known vulnerabilities in operating systems, applications, and network devices that could be exploited for initial access.
• Monitor Microsoft 365 Audit Logs: Continuously monitor Microsoft 365 audit logs for unusual activities, such as new mailbox delegates, unauthorized access to sensitive Teams channels, or suspicious administrative actions. While not directly detecting the RAT’s C2, these logs can reveal precedes to compromise.

Threat Detection Tools and Best Practices

Equipping your security team with the right tools is paramount in detecting and responding to sophisticated threats like Backdoor.TURN. Here are some categories and examples of tools that can aid in detection and mitigation:

Tool Category	Purpose	Examples / Best Practices
Endpoint Detection & Response (EDR)	Detect malicious activity and behavior at the endpoint, regardless of network obfuscation.	CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne, Carbon Black
Network Detection & Response (NDR) / NTA	Analyze network traffic for anomalies and compromised communications, even within legitimate protocols.	Vectra AI, Darktrace, Palo Alto Networks Cortex XDR (for network insights), Zeek (formerly Bro)
Security Information & Event Management (SIEM)	Aggregate and correlate security logs from various sources to provide a holistic view of the security posture.	Splunk, IBM QRadar, Microsoft Sentinel, Elastic SIEM
Cloud Access Security Broker (CASB)	Provide visibility and control over cloud applications, including data protection in SaaS environments.	Netskope, Zscaler, Symantec CASB
Threat Intelligence Platforms (TIP)	Help security teams stay up-to-date on emerging threats, TTPs, and indicators of compromise.	Recorded Future, Anomali ThreatStream, MISP (Open Source)

Conclusion

The weaponization of Microsoft Teams relay servers by threats like Backdoor.TURN marks a significant evolution in ransomware tactics. It underscores the critical need for organizations to adopt a proactive, adaptive security posture that goes beyond traditional perimeter defenses. By investing in robust EDR, NTA, and embracing Zero Trust principles, security teams can better defend against adversaries who cleverly hide their malicious intent within the very fabric of trusted enterprise communications. Continuous vigilance and a deep understanding of evolving threat landscapes are paramount in safeguarding digital assets against these increasingly sophisticated attacks.