Hackers are sneaking malware through Microsoft Teams to avoid detection, exposing thousands of businesses to data theft and ransomware attacks.
Security researchers recently uncovered a troubling trend: criminal groups are weaponizing everyday business tools to launch attacks. Specifically, attackers linked to the DragonForce ransomware gang have deployed a custom malicious program written in the Go programming language, which they're using to establish hidden communication channels with compromised computers inside corporate networks. The clever part? They're routing this secret communication through Microsoft Teams—the same platform millions of employees use daily for video calls and instant messages.
This malware, tracked as Backdoor.Turn, works like an invisible spy living inside your organization's trusted communication system. Once installed on a victim's computer, it opens a back door that allows attackers to issue commands, steal data, and plant additional malicious code—all while hiding in plain sight within the normal Teams traffic that your network is already monitoring for legitimate business use.
Network security teams typically watch for suspicious internet traffic coming from unknown sources. It's like having a security guard check packages entering your building. But when attackers disguise their commands as regular Teams messages, the traffic looks completely legitimate. The guard waves it through because it appears to be normal business communication.
Microsoft Teams uses relay infrastructure—essentially secure pathways that move data between different locations—to handle millions of conversations globally. By embedding their malware's secret commands inside these legitimate pathways, criminals become nearly invisible to standard security monitoring tools. Your antivirus software sees Teams running and approves it. Your firewall sees Teams traffic and allows it. Your security team sees nothing unusual.
This discovery exposes a major weakness in how many companies approach cybersecurity. We tend to trust popular, well-known applications like Teams, assuming they're automatically safe. But criminals understand this psychology and exploit it.
The real danger isn't just the malware itself—it's that attackers gain the ability to move freely within your network, accessing sensitive files, backup systems, and administrative accounts before launching a destructive ransomware attack.
Once inside, these criminals can spend weeks or months mapping your network, understanding your business operations, and identifying your most valuable data. Then they strike with ransomware, encrypting everything and demanding payment for recovery.
This attack demonstrates that security requires thinking like an attacker. Criminals will always exploit the most trusted tools because we pay them the least attention. The solution involves combining multiple security layers—from technical controls to employee awareness training to incident response planning.
Your security team needs visibility into what's happening on your network, authority to investigate suspicious activity, and resources to respond quickly when threats appear.
The question isn't whether attackers will target your organization—it's whether you'll detect them before they cause serious damage.
Want to understand the technology behind this story? ITVedas has beginner-friendly guides on every IT topic.
Explore IT Chapters →