What Happened

Security researchers have identified a concerning trend among ransomware gangs who are exploiting Microsoft Teams relay infrastructure to conceal their command-and-control (C2) traffic. By routing malicious communications through legitimate Microsoft 365 and Teams infrastructure, attackers can make their C2 traffic blend seamlessly with normal enterprise collaboration activity, evading traditional network-based detection mechanisms. This technique was first observed in the wild in June 2026 and has been linked to multiple active ransomware campaigns targeting organisations across various sectors.

How It Works

Microsoft Teams uses relay servers to facilitate real-time communication between internal and external users, even when direct peer-to-peer connections are blocked by firewalls or NAT. Attackers are abusing these relay endpoints by implanting malicious payloads that use the Teams relay protocol to tunnel C2 traffic. The abusive flow works as follows:

• Initial Compromise: The attacker gains initial access to a victim endpoint through phishing, exploited vulnerabilities, or other means.
• Relay Tunnelling Setup: A lightweight implant is deployed that leverages the Microsoft Teams client SDK or mimics legitimate Teams WebSocket connections to Microsoft’s relay infrastructure (domains such as *.teams.microsoft.com and associated TURN/STUN relay endpoints).
• C2 Obfuscation: C2 commands and exfiltrated data are embedded within what appears to be standard Teams signalling and media relay traffic, often using encrypted payloads inside ICE candidate exchanges or screen-sharing control messages to avoid deep packet inspection.
• External Staging: The attacker operates an external Teams tenant or compromised guest account that acts as the command-and-control endpoint, receiving relayed data through Microsoft’s own infrastructure.

Impact

The primary impact of this technique is the evasion of network monitoring and perimeter defences. Organisations that rely on network traffic analysis, IP reputation filtering, or DNS-based threat detection are at significant risk because:

• All C2 traffic is directed to legitimate Microsoft-owned IP ranges and domains, which are almost universally allow-listed in corporate environments.
• TLS encryption at the transport layer prevents payload inspection without TLS decryption proxies, which often cannot inspect Teams traffic without breaking functionality.
• Traditional indicators of compromise (IOCs) based on destination IP or domain are rendered ineffective since the traffic terminates at Microsoft infrastructure rather than attacker-controlled servers.
• Data exfiltration through relay tunnels can blend with normal Teams usage, making volumetric analysis unreliable.

Detection

Despite the obfuscation, the following detection strategies can help identify potential abuse:

• Anomalous Teams Traffic Patterns: Monitor for sustained, high-volume data transfers through Teams relay endpoints outside normal business hours, long-duration connections with minimal interactive session activity, or unusual ratios of media relay traffic versus signalling traffic on endpoints that do not normally participate in voice or video calls.
• Unusual Relay Usage: Track connections to TURN/STUN relay endpoints from processes other than the expected Teams client binary. Endpoint detection and response (EDR) tools should flag any non-Teams process establishing persistent WebSocket or UDP connections to *.teams.microsoft.com domains.
• Guest and External Access Anomalies: Audit Teams guest access logs for connections from newly created or low-reputation external tenants, particularly those with free or trial licenses that engage in prolonged data sessions with internal users.
• EDR Behavioural Analysis: Look for processes injecting into or hooking the Teams client process, abnormal use of Teams client APIs, or unusual memory patterns in processes communicating with Teams relay endpoints.

Recommendations

1. Review Teams Relay Configurations: Assess your Microsoft Teams admin centre settings. Restrict external access and guest capabilities to only trusted domains and tenants. Disable trial tenant access where possible and enforce conditional access policies that require compliant devices for Teams usage.
2. EDR Inspection of Teams Flows: Deploy or configure endpoint detection and response solutions to inspect process-level network flows associated with Teams traffic. Ensure EDR agents can detect anomalous process behaviour, DLL injection into Teams processes, and unexpected outbound connections to Teams relay infrastructure from non-approved binaries.
3. Audit External Access Settings: Regularly review Teams external access and federation settings. Limit external communication to pre-approved partner tenants. Enable detailed audit logging for all Teams external interactions and integrate these logs into your SIEM for automated alerting on unusual patterns.
4. Network Segmentation and Monitoring: While Teams traffic is encrypted, organisations should still monitor netflow data for unusual volume patterns to Microsoft 365 IP ranges. Consider deploying Microsoft Defender for Office 365 advanced hunting capabilities to query Teams-related activities across your tenant.
5. User Awareness Training: Educate users about the risks of interacting with unknown external Teams contacts and encourage reporting of suspicious external messages or meeting invitations.

References

• BleepingComputer — Ransomware Gangs Abuse Microsoft Teams Relays