Symantec’s June 2026 disclosure of Backdoor.Turn introduced a C2 evasion technique that is genuinely novel: DragonForce operators obtained anonymous visitor tokens from Microsoft’s Skype identity service, then used those tokens to establish covert QUIC sessions through Microsoft’s own TURN relay infrastructure. The result is command-and-control traffic that, at the network layer, looks like a user attending a Teams meeting.

Traditional network-based detection fails here. You cannot differentiate the QUIC session carrying C2 traffic from a legitimate Teams call using network metadata alone, because the source IPs, destination IPs, ports, and TLS characteristics all belong to Microsoft’s legitimate infrastructure. The detection opportunities are elsewhere: in endpoint telemetry around token acquisition, in process behaviour, in the pattern of QUIC connection establishment, and in the anonymous join configuration that the technique depends on.

This guide covers each of those detection surfaces with deployable rules.

Understanding the Attack Chain

Before building detections, it’s worth being precise about what Backdoor.Turn actually does:

  1. Token acquisition. The backdoor calls Microsoft’s Skype identity API to obtain an anonymous visitor token — the same mechanism used by guests joining a Teams meeting without a Microsoft account. This call goes to api.skype.com or related endpoints and returns a short-lived bearer token.

  2. TURN relay session establishment. Using the visitor token, the backdoor establishes a QUIC session through Microsoft’s TURN relay servers. TURN (Traversal Using Relays around NAT) is designed to facilitate peer-to-peer connectivity through NAT boundaries — Teams uses it for A/V media relay when direct peer connection isn’t possible.

  3. C2 tunnelling. The attacker’s real C2 infrastructure is on the other end of the TURN relay session. Commands flow inbound; data flows outbound. To network security tooling watching outbound connections, all it sees is UDP 443 to Microsoft relay IP addresses.

  4. Capabilities. Once the channel is established, the backdoor supports: command execution, process creation, network scanning, LDAP/AD enumeration, lateral movement with stolen credentials, browser credential extraction, and TLS certificate capture.

The key dependency for this technique is that anonymous Teams meeting join is enabled in the target’s tenant. By default, Microsoft allows guests to join Teams meetings without authentication. This is the configuration the technique exploits.

Detection Surface 1: Anonymous Token Acquisition (Endpoint)

The token acquisition step is the most reliable detection opportunity because it involves a process making an HTTP request to Skype identity endpoints that is not attributable to any Microsoft Teams or Office application process. Legitimate Teams clients acquire their own tokens through their own process; Backdoor.Turn acquires a visitor token through the backdoor binary itself.

Sigma: Suspicious Skype API Token Request

title: Suspicious Anonymous Skype/Teams Token Acquisition
id: 9f2b4e1a-c7d3-4891-b5e2-f6a8d3c91042
status: experimental
description: >
  Detects HTTP requests to Microsoft Skype identity API endpoints from processes
  that are not Microsoft Teams, Skype, or known Microsoft Office applications.
  Backdoor.Turn acquires anonymous visitor tokens via this endpoint as the first
  step in establishing a covert TURN relay C2 channel.
references:
  - https://www.security.com/threat-intelligence/dragonforce-msteams-backdoor
author: Detection Engineering
date: 2026-06-22
tags:
  - attack.command-and-control
  - attack.t1102.002
logsource:
  product: windows
  category: network_connection
detection:
  selection:
    DestinationHostname|contains:
      - 'api.skype.com'
      - 'teams.microsoft.com'
      - 'skypeassets.com'
  filter_legitimate:
    Image|endswith:
      - '\Teams.exe'
      - '\ms-teams.exe'
      - '\Skype.exe'
      - '\SkypeApp.exe'
      - '\msedge.exe'
      - '\chrome.exe'
      - '\firefox.exe'
      - '\outlook.exe'
      - '\WINWORD.EXE'
      - '\EXCEL.EXE'
  condition: selection and not filter_legitimate
falsepositives:
  - Third-party applications with legitimate Teams/Skype integration
  - Custom enterprise applications using Teams API
level: high

The filter list is imperfect — any third-party app with a Teams integration would match. Tune by adding additional known-good image paths for your environment.

KQL (Microsoft Sentinel / Defender for Endpoint)

// Suspicious Skype identity API access from non-Microsoft processes
DeviceNetworkEvents
| where TimeGenerated > ago(24h)
| where RemoteUrl has_any ("api.skype.com", "skypeassets.com")
    or RemotePort == 443 and RemoteIPType == "Public"
| where InitiatingProcessFileName !in~ (
    "Teams.exe", "ms-teams.exe", "Skype.exe", "SkypeApp.exe",
    "msedge.exe", "chrome.exe", "firefox.exe",
    "outlook.exe", "WINWORD.EXE", "EXCEL.EXE", "svchost.exe"
  )
| project TimeGenerated, DeviceName, InitiatingProcessFileName,
    InitiatingProcessFolderPath, RemoteUrl, RemoteIP, RemotePort,
    InitiatingProcessCommandLine
| order by TimeGenerated desc

Detection Surface 2: Anonymous Teams Join Configuration (M365 Audit Log)

Disabling anonymous Teams join removes the technical precondition for Backdoor.Turn’s TURN relay technique. Monitoring for changes to this setting detects both attacker activity (re-enabling the setting after an admin disables it) and configuration drift.

KQL (Microsoft Sentinel — M365 Audit Logs)

// Monitor Teams anonymous meeting join policy changes
OfficeActivity
| where TimeGenerated > ago(7d)
| where OfficeWorkload == "MicrosoftTeams"
| where Operation in (
    "Set-CsTeamsMeetingPolicy",
    "Set-CsTeamsGuestMeetingConfiguration",
    "Grant-CsTeamsMeetingPolicy"
  )
| extend ParsedParameters = parse_json(Parameters)
| where tostring(ParsedParameters) has_any ("AllowAnonymousUsersToJoinMeeting", "AllowExternalAccess")
| project TimeGenerated, UserId, Operation, ParsedParameters, ClientIP
| order by TimeGenerated desc

If anonymous join is disabled across the tenant (the recommended configuration for enterprises that don’t require it), any re-enablement of the setting should be treated as a high-priority alert.

Detection Surface 3: QUIC Traffic Anomalies (Network)

QUIC operates over UDP 443. While blocking UDP 443 to all destinations is not practical (it would break legitimate Teams and many other applications), anomaly detection against the baseline of UDP 443 traffic from specific endpoints can surface outliers.

The key anomaly is duration and data volume relative to a legitimate Teams session. A Teams meeting generates high-bandwidth bidirectional traffic (audio/video). A C2 channel generates low-bandwidth, asymmetric traffic — small command packets inbound, potentially larger data packets outbound depending on what’s being exfiltrated. The data patterns are detectably different with sufficient network telemetry.

KQL (Sentinel — Network Flow Logs)

// Identify low-bandwidth long-duration UDP 443 sessions to Microsoft relay ranges
// Microsoft Teams relay IPs fall in known Microsoft ASN ranges (AS8075)
// Adjust 'BytesSent' and 'BytesReceived' thresholds for your environment
AzureNetworkAnalytics_CL
| where TimeGenerated > ago(24h)
| where L4Protocol_s == "UDP"
| where DestPort_d == 443
| where DestPublicIPDetails_IpAddr_s startswith "52." 
    or DestPublicIPDetails_IpAddr_s startswith "13."
    or DestPublicIPDetails_IpAddr_s startswith "40."
| summarize TotalBytesSent = sum(BytesSentAllFlows_d),
    TotalBytesReceived = sum(BytesReceivedAllFlows_d),
    SessionDurationMinutes = max(TimeGenerated) - min(TimeGenerated),
    FlowCount = count()
    by bin(TimeGenerated, 1h), SrcIP_s, DestPublicIPDetails_IpAddr_s
| where TotalBytesSent < 10000  // Very low outbound data
    and SessionDurationMinutes > 30min  // But long duration
| project TimeGenerated, SrcIP_s, DestPublicIPDetails_IpAddr_s,
    TotalBytesSent, TotalBytesReceived, SessionDurationMinutes, FlowCount

This query flags long-duration, low-bandwidth UDP 443 sessions — the signature of a C2 keepalive channel rather than a media stream.

Detection Surface 4: Process Behaviour and Injection (Endpoint)

Backdoor.Turn is deployed after a BYOVD chain that terminates EDR software. That BYOVD activity is itself detectable — the Poortry driver and related vulnerable drivers used by DragonForce have known signatures and hash values that should trigger on kernel driver load events.

Sigma: Suspicious Driver Load Followed by EDR Process Termination

title: BYOVD Driver Load with Subsequent Security Process Termination
id: 3a8c2f9e-d1b4-4a27-9e53-c7f2b8d4a631
status: experimental
description: >
  Detects loading of known BYOVD vulnerable drivers followed within 5 minutes
  by termination of endpoint security processes. This pattern matches DragonForce
  and other ransomware operators using BYOVD to disable EDR before deploying backdoors.
references:
  - https://www.security.com/threat-intelligence/dragonforce-msteams-backdoor
  - https://www.loldrivers.io
author: Detection Engineering
date: 2026-06-22
tags:
  - attack.defense-evasion
  - attack.t1562.001
  - attack.t1068
logsource:
  product: windows
  category: driver_loaded
detection:
  byovd_driver:
    Hashes|contains:
      # Poortry variants — cross-reference loldrivers.io for current list
      - 'e27d84712fe25b6b23a7b82ab3e4e7c8'
      - 'f4df67c9c42a9d9a6b5e1c4f8d3e2a71'
    Signed: 'true'
  condition: byovd_driver
falsepositives:
  - Legitimate use of signed vulnerable drivers (rare)
level: critical

KQL: BYOVD Followed by Security Tool Termination

// Correlate driver load events with subsequent security process termination
let ByovdDriverHashes = dynamic([
    "e27d84712fe25b6b23a7b82ab3e4e7c8",
    "f4df67c9c42a9d9a6b5e1c4f8d3e2a71"
    // Add current Poortry hashes from loldrivers.io
]);
let SecurityProcessNames = dynamic([
    "MsMpEng.exe", "SenseService.exe", "csfalconservice.exe",
    "xagt.exe", "cb.exe", "cylancesvc.exe", "SentinelAgent.exe"
]);
let DriverLoads = DeviceEvents
| where ActionType == "DriverLoad"
| where InitiatingProcessSHA256 has_any (ByovdDriverHashes)
    or FileName has_any ("poortry", "truesight")
| project DriverLoadTime = TimeGenerated, DeviceName, FileName;
let ProcessTerminations = DeviceProcessEvents
| where ActionType == "ProcessTerminated"
| where FileName in~ (SecurityProcessNames)
| project TermTime = TimeGenerated, DeviceName, FileName;
DriverLoads
| join kind=inner ProcessTerminations on DeviceName
| where TermTime > DriverLoadTime and TermTime < DriverLoadTime + 5m
| project DriverLoadTime, TermTime, DeviceName, FileName

Detection Surface 5: Lateral Movement via Stolen Credentials

DragonForce’s attack chain after deploying Backdoor.Turn includes lateral movement using credentials extracted from the compromised host — browsers, LSASS, and connected application credentials. Monitoring for authentication patterns that don’t match established baselines catches this stage.

KQL: Unusual Authentication Pattern from Infected Host

// Flag endpoints authenticating to many distinct internal hosts in a short window
SecurityEvent
| where EventID in (4624, 4625, 4648)
| where TimeGenerated > ago(1h)
| where LogonType in (3, 10)  // Network and RemoteInteractive
| summarize UniqueTargets = dcount(Computer),
    FailedLogins = countif(EventID == 4625),
    SuccessLogins = countif(EventID == 4624),
    AccountsUsed = make_set(TargetUserName)
    by SubjectUserName, IpAddress
| where UniqueTargets > 10 or FailedLogins > 20
| project SubjectUserName, IpAddress, UniqueTargets,
    FailedLogins, SuccessLogins, AccountsUsed
| order by UniqueTargets desc

The most effective single defensive action is disabling anonymous meeting join in Teams admin settings (-AllowAnonymousUsersToJoinMeeting $false via PowerShell for Skype for Business Online, or equivalent in Teams Admin Center under Meeting policies). This removes the mechanism Backdoor.Turn uses to acquire its relay token, making the TURN relay technique non-functional even if the backdoor binary reaches a system.

For environments that require anonymous join for legitimate purposes (conference systems, external collaboration), compensate with aggressive monitoring of the QUIC anomaly detections and process-level token acquisition rules above.

Cross-reference the LOLDrivers database (loldrivers.io) regularly and enforce Windows Defender Application Control or equivalent driver blocklisting policies. The BYOVD chain that precedes Backdoor.Turn deployment is detectable and blockable with kernel driver controls — and blocking it prevents deployment of the backdoor entirely, regardless of whether the TURN relay technique is being used.