The sophistication of the DragonForce attack lies not in breaking down doors, but in walking through the front entrance undetected. By weaponizing Microsoft Teams' legitimate relay infrastructure, these attackers have discovered a method to blend their malicious traffic with the millions of legitimate Teams communications flowing through corporate networks every day.

Think of Microsoft Teams' TURN (Traversal Using Relays around NAT) infrastructure as a trusted postal service that helps messages navigate complex network boundaries. When you join a Teams meeting from a coffee shop or hotel, TURN relays ensure your audio and video reach colleagues behind corporate firewalls. DragonForce's Backdoor.Turn malware exploits this same trusted pathway - obtaining anonymous visitor tokens from Microsoft's Skype-backed identity services, then routing commands through legitimate Microsoft TURN relays before establishing QUIC sessions to their actual command servers.

This approach solves multiple challenges for attackers simultaneously. Network security tools see outbound connections to microsoft.com domains - traffic that appears identical to legitimate Teams usage. The encrypted nature of Teams communications means deep packet inspection cannot distinguish between a legitimate video call and malicious command traffic. Security teams face an impossible choice: block Teams traffic and cripple business communications, or allow it and potentially miss active intrusions.

The technical elegance extends beyond simple camouflage. By leveraging Microsoft's own infrastructure as an intermediary, attackers gain several advantages. The TURN relay handles network address translation complexities, ensuring commands reach compromised systems regardless of network topology. The use of QUIC protocol provides built-in encryption and reliability without requiring attackers to maintain their own robust infrastructure. Most critically, the anonymous visitor tokens require no authentication, allowing the malware to establish connections without stolen credentials or complex authentication bypasses.

For security teams, this represents a fundamental detection challenge. Traditional indicators like suspicious domains, unusual ports, or geographic anomalies become useless when attackers communicate through the same channels used for daily business operations. The one-to-two month dwell time observed in the U.S. services company breach demonstrates how effectively this technique evades detection. During this period, defenders likely saw thousands of legitimate Teams connections daily, with malicious traffic hidden among them like a single poisoned grain of rice in a warehouse full of food.

The business implications extend beyond technical detection difficulties. Microsoft Teams has become critical infrastructure for many organizations, with usage exploding since 2020. Any security measure that impacts Teams availability or performance faces immediate pushback from users and management. Attackers understand this organizational dynamic - they're not just exploiting technical vulnerabilities but organizational dependencies on collaboration tools. When your primary communication platform becomes the attacker's command channel, traditional security boundaries dissolve. The very tools that enable remote work and global collaboration become weapons turned against the organization, transforming trusted infrastructure into an invisible highway for data theft and ransomware deployment.

Attack Chain: From Initial Compromise to Persistent Backdoor

The attack unfolds across distinct phases, each designed to maximize stealth while establishing deeper control over compromised systems. Understanding this progression reveals critical detection opportunities that organizations often miss.

Initial foothold begins through exploitation of vulnerable SQL or Microsoft SQL Server systems, though the exact entry vector remains unclear. The attackers may have purchased access from specialized brokers who sell pre-compromised credentials on underground forums. This outsourcing model allows ransomware operators to skip the reconnaissance phase entirely, starting their attack from inside the perimeter.

Once inside, the attackers deploy their first payload: a ZIP archive containing a legitimate VirtualBox or DbgView executable paired with vboxrt.dll, a malicious library designed for DLL sideloading. When the legitimate executable runs, it automatically loads the malicious DLL, which then downloads additional attack components from remote servers. This technique bypasses application whitelisting since the primary executable appears legitimate to security tools.

The downloaded code serves multiple purposes: securing persistent access, conducting reconnaissance, and preparing the environment for deeper compromise. At this stage, attackers create new user accounts to maintain access even if their initial entry point gets discovered. They modify the Windows LimitBlankPassword registry setting, allowing remote access to accounts without passwords - a change that often goes unnoticed in security audits.

Defense evasion escalates through Bring Your Own Vulnerable Driver (BYOVD) attacks. The attackers deploy four different vulnerable drivers to gain kernel-level privileges:

• Huawei's HWAuidoOs2Ec.sys driver, part of a novel "Havoc Process Terminator" attack not previously documented in the wild
• Topaz Antifraud's wsftprm.sys (CVE-2023-52271), which allows arbitrary kernel memory writes
• Tower of Fantasy's GameDriverx64.sys (CVE-2025-61155), exploitable for privilege escalation
• K7 Security's K7RKScan.sys (CVE-2025-1055), enabling security tool termination

Each driver serves a specific purpose in dismantling security defenses. The Huawei driver terminates endpoint detection processes, while the gaming and security drivers disable real-time scanning and firewall rules. This multi-driver approach ensures redundancy - if one driver gets blocked, others continue functioning.

ABYSSWORKER represents the most sophisticated element of the defense evasion toolkit. This custom-built malware driver masquerades as a legitimate Palo Alto Networks component, complete with forged digital signatures that pass cursory inspection. Security teams reviewing driver logs see what appears to be a trusted security vendor's software, when in reality it provides attackers with unrestricted kernel access.

The dwell time between initial compromise and ransomware deployment stretched between one and two months. During this period, attackers conducted thorough reconnaissance, mapped the network topology, identified critical systems, and exfiltrated sensitive data. This extended timeline suggests methodical preparation rather than opportunistic smash-and-grab tactics.

After deploying the DragonForce ransomware payload, the attackers introduced their most innovative persistence mechanism: injecting Backdoor.Turn into the legitimate DbgView64.exe process. This post-ransomware deployment timing suggests the backdoor serves dual purposes - maintaining access for double extortion negotiations and establishing infrastructure for future attacks against the same victim or their business partners.

Immediate Detection & Response Actions for Your Environment

Your security team needs to act on three fronts simultaneously: hunting for existing compromise indicators, blocking active threats, and preventing future infiltration through Teams infrastructure. The following actions are prioritized by urgency and feasibility.

Immediate Actions (Next 4 Hours)

Start by examining your Teams audit logs for anonymous visitor token generation patterns. Navigate to the Microsoft 365 compliance center and search for Operation: "AnonymousUserJoin" events over the past 90 days. Export these results and correlate timestamps with unusual QUIC protocol traffic spikes in your firewall logs. Anonymous tokens shouldn't appear frequently in corporate environments - any cluster of these events warrants investigation.

Query your endpoint detection systems for processes spawning from DbgView64.exe or DbgView.exe. These legitimate debugging tools rarely run in production environments. If you find instances, immediately check whether they're loading unusual DLLs or establishing network connections to non-Microsoft IP addresses.

Search for the presence of vboxrt.dll across all endpoints using your EDR platform's file search capability. VirtualBox components appearing on non-developer workstations, especially near SQL servers, indicate potential compromise. The legitimate VirtualBox runtime library has specific hash values - any deviation suggests tampering.

Short-term Detection Enhancements (24-48 Hours)

Deploy network monitoring rules to flag QUIC sessions originating from processes other than browsers or known collaboration tools. While QUIC traffic itself is legitimate, database servers and domain controllers shouldn't generate this protocol. Configure your SIEM to alert when SQL Server processes establish connections to Microsoft's TURN relay endpoints at *.trouter.teams.microsoft.com.

Create detection rules for driver loading events involving:

• HWAuidoOs2Ec.sys - The Huawei driver exploited by Havoc Process Terminator
• wsftprm.sys - Topaz Antifraud driver vulnerable to exploitation
• GameDriverx64.sys - Tower of Fantasy gaming driver used for privilege escalation
• K7RKScan.sys - K7 Security driver with known vulnerabilities

Configure Windows Event ID 6 (driver loaded) monitoring with alerts for these specific filenames. Legitimate business operations rarely load gaming or foreign antivirus drivers.

Review Active Directory for recently created accounts with modified LimitBlankPassword registry settings. Query: Get-ADUser -Filter {whenCreated -ge ((Get-Date).AddDays(-60))} | Select-Object Name, whenCreated and cross-reference with systems where HKLM\SYSTEM\CurrentControlSet\Control\Lsa\LimitBlankPasswordUse equals 0.

Long-term Hardening Measures (7-14 Days)

Implement Teams governance policies restricting anonymous join capabilities. In the Teams admin center, disable "Anonymous users can join a meeting" for all meeting policies except those explicitly required for external collaboration. Document which departments require this functionality and implement compensating controls like meeting passwords.

Establish a patching cadence for the identified vulnerabilities. CVE-2023-52271 affects Topaz systems deployed before October 2023. CVE-2025-61155 and CVE-2025-1055 require immediate vendor engagement as these appear to be recently disclosed. Contact Tower of Fantasy and K7 Security support channels for emergency patches if these products exist in your environment.

Deploy application control policies blocking unsigned kernel drivers from loading. While this requires careful testing to avoid breaking legitimate tools, it prevents BYOVD attacks from succeeding even if attackers gain administrative access.

Patching Priorities & Vulnerability Context

The vulnerability chain exploited by DragonForce reveals a calculated approach to bypassing kernel-level security protections. Each CVE serves a specific purpose in dismantling defensive layers, with the attackers demonstrating deep knowledge of driver vulnerabilities across multiple security vendors.

CVE-2023-52271 in Topaz Antifraud's wsftprm.sys driver represents the most critical immediate risk. This vulnerability allows arbitrary kernel memory read/write operations through improper input validation in IOCTL handlers. DragonForce leverages this flaw during their initial privilege escalation phase, gaining the kernel-level access necessary to disable endpoint protection before deploying ransomware. The driver remains widely deployed in financial services environments where Topaz's fraud prevention solutions are standard.

Microsoft released an advisory acknowledging the vulnerability in January 2024, but Topaz has not issued a patch as of June 2026. Organizations running Topaz Antifraud versions 3.x through 5.x remain vulnerable. The only available workaround involves removing the wsftprm.sys driver entirely, which disables fraud monitoring capabilities - an unacceptable trade-off for most financial institutions.

CVE-2025-61155 affects Tower of Fantasy's GameDriverx64.sys, an unexpected attack vector that highlights how gaming software in corporate environments creates security gaps. This driver vulnerability enables process termination with SYSTEM privileges, which DragonForce uses specifically to kill security agent processes after gaining initial kernel access. The gaming driver's presence on enterprise systems typically results from employees installing personal software or from workstations repurposed from consumer devices.

Tower of Fantasy patched this vulnerability in March 2026, but the update requires manual driver replacement rather than automatic updates through the game client. Many organizations remain unaware they're running vulnerable gaming drivers, as these components don't appear in standard vulnerability scans focused on enterprise software.

CVE-2025-1055 in K7 Security's K7RKScan.sys represents a post-compromise persistence mechanism rather than initial access vector. This vulnerability allows attackers to maintain kernel-level access even after security tools are reinstalled. DragonForce deploys this exploit late in their attack chain, ensuring they can re-disable protections if incident responders attempt remediation without fully removing the compromised driver.

K7 Security released patches in February 2026, distributed through their automatic update mechanism. However, the patch requires a system reboot to take effect, and the vulnerable driver continues running until that restart occurs.

Organizations should prioritize patching based on their environment profile. Financial services and payment processors must address CVE-2023-52271 immediately through compensating controls since no patch exists. Deploy application control policies blocking wsftprm.sys execution while maintaining fraud monitoring through alternative solutions.

Gaming and media companies face elevated risk from CVE-2025-61155 due to higher likelihood of gaming software presence. Scan for GameDriverx64.sys across all endpoints within 48 hours, removing or updating any instances discovered.

Healthcare and government entities running K7 Security products should schedule emergency maintenance windows for CVE-2025-1055 patching within 72 hours. The combination of all three vulnerabilities suggests DragonForce specifically targets organizations with mixed security vendor deployments, exploiting the gaps between different protection layers.

Securing Microsoft Teams Against Abuse by Threat Actors

Microsoft Teams' collaborative infrastructure presents an inherent security paradox: the same features that enable seamless communication across organizational boundaries also create pathways for sophisticated threat actors. The DragonForce incident demonstrates how attackers weaponize legitimate Teams functionality, but organizations can implement specific controls that preserve collaboration while blocking malicious abuse.

Teams app permission policies serve as your first line of defense against unauthorized integrations. Within the Teams admin center, navigate to Teams apps > Permission policies and create restrictive baseline policies that block third-party app installations by default. Configure separate policies for different user groups - developers might need broader access than accounting staff. Set the Microsoft apps policy to "Allow specific apps and block all others," then whitelist only verified business-critical applications like Power BI or Planner.

The Global (Org-wide default) policy should enforce the strictest controls, with exceptions granted through explicit policy assignments.

External access federation settings determine who can initiate Teams communications with your users. Rather than allowing all external domains by default, implement an allowlist approach through Teams admin center > Org-wide settings > External access. Enable "Allow only specific external domains" and manually add trusted partner organizations. This configuration would have prevented DragonForce from establishing anonymous visitor sessions, as their infrastructure wouldn't appear on your federation allowlist.

Audit logging configuration extends beyond simple enablement - retention policies and search capabilities determine whether you can reconstruct attack timelines. In the Microsoft 365 compliance center, configure audit retention to the maximum 10-year period for critical events including AnonymousUserJoin, BotMessageDelete, and MeetingParticipantDetail operations. Create custom alert policies that trigger when anonymous tokens are generated more than three times within an hour from the same IP range.

These alerts should route to your SOC with high priority, as legitimate anonymous access typically occurs in predictable patterns during scheduled external meetings.

Bot and webhook restrictions require granular control through both Teams policies and Azure AD conditional access. In Teams admin center > Org-wide settings > Apps, disable "Allow interaction with custom apps" and set "Allow sideloading of custom apps" to Off. For existing bots, implement Azure AD app governance policies that require administrative consent for any application requesting Teams.ReadWrite.All or ChannelMessage.Send permissions. Configure conditional access to block bot authentication from countries where you have no business operations.

Integration point hardening focuses on the connectors and APIs that bridge Teams with other systems. Through the Teams admin center, disable all connectors except those explicitly required - most organizations only need SharePoint, OneNote, and Planner. For Power Automate flows that interact with Teams, enforce environment-level data loss prevention policies that block flows from sending Teams messages to external HTTP endpoints. Configure Graph API throttling limits to detect unusual message volume patterns that might indicate command-and-control traffic.

The usability versus security tension becomes most apparent in guest access scenarios. While blocking all external collaboration might prevent attacks like DragonForce's, it also cripples legitimate business partnerships. Instead, implement time-bound guest access with automatic expiration after 90 days, require sponsors to re-attest guest necessity quarterly, and enforce conditional access policies that mandate managed devices for guests accessing sensitive channels. This balanced approach maintains collaborative capabilities while creating multiple detection opportunities throughout the attack chain.

Industries & Roles at Highest Risk

The DragonForce group's targeting of a U.S. services company reveals a calculated selection of victims where Microsoft Teams serves as both collaboration backbone and potential attack vector. Understanding why certain industries face elevated risk helps organizations assess their exposure to similar sophisticated campaigns.

Managed service providers (MSPs) represent the crown jewels for ransomware operators like DragonForce. These organizations maintain privileged access to dozens or hundreds of client environments through remote management tools, creating a multiplier effect for any successful compromise. When attackers breach an MSP, they inherit trusted pathways into every downstream customer - pathways that bypass traditional perimeter defenses because the MSP connection is legitimate and expected.

The Teams infrastructure abuse technique particularly threatens MSPs because their technicians routinely join client Teams meetings, share screens across organizational boundaries, and maintain guest access to multiple tenants. This normal operational pattern makes anonymous visitor tokens and cross-tenant communications standard rather than suspicious.

IT consulting firms face similar exposure through their project-based engagements. Consultants typically receive temporary Teams access to client environments during implementations, migrations, or assessments. These transient permissions create security blind spots - organizations rarely audit or revoke consultant access promptly after project completion. The consulting model also normalizes external participants in sensitive meetings where infrastructure details, security configurations, and business strategies are discussed openly.

Professional services firms handling mergers and acquisitions present especially attractive targets. During due diligence phases, these organizations aggregate financial data, intellectual property, and strategic plans from multiple parties into centralized Teams channels. A single compromise could expose transaction details worth billions, insider information affecting stock prices, or competitive intelligence spanning entire industries.

Outsourced IT service providers operating help desks or service delivery centers concentrate risk through their operational structure. Service desk analysts require broad access to troubleshoot issues across customer environments, often maintaining administrative credentials for multiple clients simultaneously. Their Teams usage patterns - joining support calls, screen sharing for remote assistance, accessing shared documentation libraries - mirror legitimate support activities that Backdoor.Turn could easily mimic.

The ransomware-as-a-service model amplifies these risks because DragonForce affiliates can specialize in compromising specific service provider types. One affiliate might focus exclusively on breaching MSPs serving healthcare, while another targets consulting firms with government contracts. This specialization allows attackers to develop deep knowledge of industry-specific Teams configurations, compliance requirements, and operational patterns.

IT administrators and service delivery managers within these organizations face the highest individual risk profiles. Their accounts possess the elevated privileges necessary to disable security controls, modify firewall rules, and access sensitive systems - exactly the capabilities DragonForce leveraged after initial compromise. These roles also legitimately interact with external parties through Teams, making anonymous visitor connections less anomalous.

Cloud migration specialists and Teams administrators represent particularly valuable targets because they understand the infrastructure attackers seek to abuse. Their credentials provide both technical access and operational knowledge about how Teams relay services function, where logs are stored, and which monitoring gaps exist.

Organizations providing 24/7 support services face additional exposure through shift handovers conducted via Teams, where critical information about ongoing incidents, temporary workarounds, and security exceptions gets shared between teams. These transition periods create windows where unusual access patterns might be attributed to shift changes rather than compromise.