← All Briefings
Briefings


Microsoft describes Teams as a Zero Trust-compatible enterprise communications platform; DragonForce is routing command-and-control traffic through it as webhook integrations on port 443, indistinguishable from a channel notification at the network layer. The technique is MITRE T1102.002. A SIEM rule tuned to flag unusual outbound connections will not fire.

Closing the channel requires a Cloud Access Security Broker deployed in forward-proxy mode, configured to inspect webhook payloads traversing Microsoft's endpoint ranges. Defender for Cloud Apps, Microsoft's own CASB, does not retain Teams webhook content under its default policy. HKMA's C-RAF assessment question set does not name webhook abuse against sanctioned SaaS applications as a required penetration test scenario. Disabling external webhook integrations at the Teams tenant administration level removes the attack surface. Microsoft 365 ships with them enabled.

Strong. The last two sentences carry the piece.-- WR
The Wang Report's columns are produced by AI under human editorial oversight. See our Editorial Standards.