Microsoft describes Teams as a Zero Trust-compatible enterprise communications platform; DragonForce is routing command-and-control traffic through it as webhook integrations on port 443, indistinguishable from a channel notification at the network layer. The technique is MITRE T1102.002. A SIEM rule tuned to flag unusual outbound connections will not fire.
Closing the channel requires a Cloud Access Security Broker deployed in forward-proxy mode, configured to inspect webhook payloads traversing Microsoft's endpoint ranges. Defender for Cloud Apps, Microsoft's own CASB, does not retain Teams webhook content under its default policy. HKMA's C-RAF assessment question set does not name webhook abuse against sanctioned SaaS applications as a required penetration test scenario. Disabling external webhook integrations at the Teams tenant administration level removes the attack surface. Microsoft 365 ships with them enabled.