Threat Analysis: DragonForce Hides in Microsoft Teams, Fortinet Flaws Hit, and Your WordPress Site Is Probably Compromised
Hello, Mauven here.
This is your Daily Threat Analysis for 16th June 2026.
Three stories today. One is technically sophisticated and will be underestimated. One is a known class of vulnerability that organisations keep getting caught by. And one is a supply chain attack that has already compromised over a million sites, and most of the affected businesses will not find out until someone tells them.
Let us go through them.
DragonForce Hides Ransomware Traffic Inside Microsoft Teams
DragonForce ransomware has deployed a custom backdoor, named Backdoor.Turn, that tunnels its command-and-control communications through Microsoft Teams relay infrastructure.
The specific mechanism is the abuse of TURN (Traversal Using Relays around NAT), the protocol Teams uses to route media traffic when direct peer-to-peer connections are not possible. Backdoor.Turn encodes its C2 traffic to look like legitimate Teams relay communications. From the perspective of most network monitoring tools and firewalls, this traffic is indistinguishable from normal Teams usage.
This is not a vulnerability in Microsoft Teams. Teams is functioning exactly as designed. The attack exploits the implicit trust that organisations have placed in a widely-used, Microsoft-operated service.
The NCSC has published guidance on network monitoring and the risks of implicit trust in cloud service traffic. The fact that a ransomware group has now built a custom backdoor specifically to exploit that trust tells you how that guidance has been received operationally.
What the reporting does not say
The coverage focuses on the technical sophistication of Backdoor.Turn. What it does not discuss is how Backdoor.Turn gets onto a system in the first place, and that entry mechanism is almost certainly more relevant to most UK SMBs than the C2 evasion technique.
DragonForce has previously been observed gaining initial access through compromised credentials, phishing, and exposed remote desktop services. The custom backdoor is a post-compromise tool. If your defences are built around perimeter controls and you are relying on endpoint detection to catch lateral movement, you are already behind by the time Backdoor.Turn matters.
What UK SMBs should do
If you use Microsoft Teams and have any managed security monitoring in place, ask your provider directly: does your traffic monitoring inspect Teams relay communications, or does it treat Teams as a trusted source? If the answer is the latter, that is a gap worth understanding.
For organisations using Conditional Access in Microsoft Entra (formerly Azure AD), ensure external tenant access is restricted to known, approved tenants. Allowing Teams federation with arbitrary external organisations is a configuration choice that significantly expands your attack surface. Many UK SMBs inherited this setting from the default configuration during rapid Teams deployment in 2020 and have never revisited it.
Fortinet FortiSandbox: Critical Flaws Being Actively Exploited
Multiple critical vulnerabilities in Fortinet’s FortiSandbox platform are now being actively exploited in the wild, according to threat intelligence from Defused.
FortiSandbox is Fortinet’s threat detection and sandboxing appliance, used by managed security providers and larger organisations to analyse suspicious files and URLs. The vulnerabilities include authentication bypass, command injection, and privilege escalation flaws, a combination that, if chained, provides an attacker with unauthenticated remote code execution.
Fortinet has a documented pattern here. Critical vulnerabilities in their products, FortiGate, FortiOS, FortiNAC, and now FortiSandbox, have repeatedly been exploited in the wild before a significant proportion of the installed base has patched. The advisory gets published. The exploitation begins. The patching lags.
The supply chain dimension
For most UK SMBs, you are not running FortiSandbox directly. You are likely not aware whether your managed security provider is running it on your behalf. That is the point.
When a security vendor’s own threat detection infrastructure has exploitable critical vulnerabilities that are being actively targeted, the risk does not stay inside the vendor’s perimeter. It propagates through the managed service relationships that connect it to every customer in that provider’s portfolio.
If your organisation has a managed security service, a managed detection and response provider, or an MSP that uses Fortinet products as part of its security stack, the question to ask today is: what is your patch status for FortiSandbox, and when was it last confirmed?
You should not be asking that question in a month’s time after an incident. You should be asking it today, while the answer is still preventative.
CISA-Confirmed: LiteSpeed cPanel Plugin Flaw Under Active Exploitation (CVE-2026-54420)
CISA has added CVE-2026-54420, a vulnerability in the LiteSpeed cPanel user-end plugin, to its Known Exploited Vulnerabilities catalogue. US government agencies were given three days to patch. That deadline was not set because the risk is theoretical.
LiteSpeed Cache is one of the most widely deployed caching plugins for WordPress, with tens of millions of active installations globally. The cPanel-specific variant extends that footprint to web hosting environments where site owners may have limited visibility into what plugins are running or whether their hosting provider has applied updates.
This matters to UK SMBs because a significant proportion of UK business websites run on shared WordPress hosting, managed by third parties, with LiteSpeed Cache installed by default. The business owner does not know it is there. They would not know if it were vulnerable. They would not know if it had been exploited.
What to do
If your business website is hosted on cPanel-based shared hosting, contact your hosting provider today and ask whether LiteSpeed cPanel plugin has been updated in response to CVE-2026-54420. If your provider cannot answer that question, that tells you something about how they manage security on your behalf.
Also Worth Noting: WordPress Supply Chain Attack via OptinMonster
This did not make the lead because it is not a nation-state campaign or a CISA KEV item, but it is directly relevant to any UK SMB running a WordPress site.
Sansec has identified an active supply chain attack targeting over 1.2 million WordPress sites using the OptinMonster, TrustPulse, and PushEngage plugins, all operated by the same company, Awesome Motive. Attackers injected malicious JavaScript into files served through Awesome Motive’s CDN. The malware activates when a logged-in administrator visits the site and creates backdoor admin accounts.
If your site uses any of these plugins, check your WordPress admin users list now for accounts named developer_api1 or any account you do not recognise. Then check your plugin versions and confirm you are on the latest release.
Summary: What to Do Today
| Priority | Action | Who It Affects |
|---|---|---|
| High | Ask your MSP or security provider about FortiSandbox patch status | Organisations with managed security services |
| High | Check Teams external tenant access configuration | All Microsoft 365 users |
| High | Contact hosting provider about CVE-2026-54420 LiteSpeed patch | Any site on cPanel hosting |
| Medium | Audit WordPress admin users for unrecognised accounts | Sites using OptinMonster, TrustPulse, or PushEngage |
| Medium | Review whether Teams relay traffic is inspected by your monitoring | Organisations with network monitoring in place |
Sources
| Source | Title | URL |
|---|---|---|
| BleepingComputer | Ransomware gang abuses Microsoft Teams relays to hide malicious traffic | https://www.bleepingcomputer.com/news/security/ransomware-gang-abuses-microsoft-teams-relays-to-hide-malicious-traffic/ |
| BleepingComputer | Critical Fortinet FortiSandbox flaws now exploited in attacks | https://www.bleepingcomputer.com/news/security/critical-fortinet-fortisandbox-flaws-now-exploited-in-attacks/ |
| CISA KEV / BleepingComputer | CISA warns of another cPanel plugin flaw exploited in attacks (CVE-2026-54420) | https://www.bleepingcomputer.com/news/security/cisa-warns-of-another-actively-exploited-cpanel-plugin-flaw/ |
| Sansec | OptinMonster supply chain attack hits 1.2 million sites | https://sansec.io/research/optinmonster-supply-chain-attack |
| Google Threat Intelligence | ShinyHunters Targets Education Sector with Oracle PeopleSoft Exploit (CVE-2026-35273) | https://cloud.google.com/blog/topics/threat-intelligence/shinyhunters-targets-education-sector-oracle-exploit |
Before the next story: if Threat Analysis is useful to you, {{firstname}}, follow the show wherever you listen so tomorrow’s briefing lands automatically, and pass it to someone who needs the heads-up.