Threat Analysis: DragonForce Hides in Microsoft Teams, Joomla Flaw Actively Exploited, and RoguePlanet Still Unpatched
Hello, Mauven here.
This is your Daily Threat Analysis for 17th June 2026.
Three items today. Each one is active. Each one has a direct line to UK small and medium businesses. I will not bury the lead.
DragonForce Is Using Microsoft Teams as Cover
This is the one that should concern you most.
Researchers at Symantec’s Threat Hunter Team have documented a DragonForce ransomware intrusion against a major US services firm in which the attackers concealed their command-and-control infrastructure inside Microsoft Teams relay servers. They did this using a custom Go-based remote access trojan called Backdoor.Turn, which exploited anonymous Teams visitor tokens and TURN relay servers to route malicious traffic through Microsoft’s own legitimate infrastructure.
The intrusion lasted over two weeks before detection.
Let that sit for a moment. Two weeks. Inside the network. Hiding behind traffic that any reasonable network monitoring tool would classify as legitimate Microsoft communications.
The advisory notes the CVEs associated with this campaign, CVE-2023-52271, CVE-2025-1055, and CVE-2025-61155, but the more significant thing here is the technique, not the specific vulnerabilities. TURN relay abuse is not new in concept. Using it specifically through Teams infrastructure to blend into enterprise traffic patterns is a significant operational step up.
What this means for UK SMBs. If your business uses Microsoft Teams, and most of you do, you cannot rely on perimeter controls to catch this class of attack. Outbound traffic to Microsoft IP ranges is almost universally permitted. That is precisely why this technique works. The attackers are not trying to sneak past your firewall. They are walking through the front door in Microsoft’s uniform.
Detection requires behavioural anomaly monitoring inside the network, not just at the edge. Look for unusual volumes of Teams-associated traffic from endpoints that do not normally generate it, particularly outside business hours. If you are relying solely on perimeter defences and antivirus, you are not positioned to catch this.
For businesses running managed security services: ask your provider directly whether their monitoring covers lateral traffic behaviour and internal network anomalies, or whether they are predominantly watching the perimeter. The answer will tell you quite a lot.
Joomla JCE Plugin: Maximum Severity, Actively Exploited, Patch Today
CISA has added the Widget Factory Joomla Content Editor plugin vulnerability to its Known Exploited Vulnerabilities catalogue. The flaw carries a CVSS score of 10.0, that is the maximum, and allows remote code execution. It is being actively exploited in the wild right now.
CISA’s KEV catalogue is the authoritative list of vulnerabilities confirmed to be under active exploitation. When something lands on that list, it is not a theoretical risk. Someone is using it against real targets.
Joomla is widely used across UK small businesses, particularly in hospitality, retail, and professional services, sectors where a website was built by an agency or a contractor several years ago and the content management system has not been meaningfully reviewed since. The JCE plugin is one of the most commonly installed Joomla extensions. It ships with a large number of pre-built Joomla installations.
The CISA deadline for federal agencies to patch is this Friday. That deadline does not apply to UK businesses, obviously. But if you are still running an unpatched JCE plugin on Friday morning, you have had ample warning.
What to do. If you run a Joomla website:
- Log into your Joomla admin panel and check the installed extensions list.
- If JCE is listed, check the version and update it immediately to the latest release.
- If you are unsure whether your site runs Joomla or what plugins are installed, contact whoever manages your website hosting and ask them specifically.
- Check your site’s server logs for unusual requests, particularly any POST requests to JCE plugin endpoints from IP addresses outside your normal geography.
If your IT provider or web agency tells you this does not affect you without first checking, ask them to show you the evidence. “We don’t think so” is not an acceptable answer when CISA has confirmed active exploitation.
RoguePlanet: Microsoft Defender Has an Unpatched Zero-Day
A week ago, a privilege escalation zero-day in Microsoft Defender was publicly disclosed. It has been named RoguePlanet, and it is associated with the broader Nightmare Eclipse research chain. As of today, Microsoft has confirmed it is working on a patch. That patch does not yet exist.
Privilege escalation vulnerabilities are the mechanism attackers use to move from limited foothold to full system control. On their own, they do not typically allow initial access, but combined with any other means of getting code onto a machine, a privilege escalation zero-day removes one of the key barriers between an attacker and complete system compromise.
Microsoft Defender is present on virtually every Windows endpoint in the country. That is not a criticism of Defender, it is simply the reality of its market position. The implication is that RoguePlanet is relevant to almost every Windows machine your business operates.
I want to be precise about the risk profile here. RoguePlanet does not, by itself, allow an attacker to break into your systems. They need another entry point first. But consider today’s threat landscape: ClickFix social engineering campaigns are landing remote access trojans on endpoints through browser-based manipulation. BlueKit PhaaS is delivering credential theft at scale. OnyxC2 is targeting 210 applications including password managers and 2FA tools. An attacker who gets a foothold through any of those routes will likely attempt privilege escalation immediately. RoguePlanet is the tool they reach for on a Windows machine.
What to do. There is no patch to apply. That is the situation. What you can do:
- Ensure Windows endpoints are running the latest available Defender security intelligence updates. Even without a patch for RoguePlanet, Defender’s detection capabilities are updated frequently.
- Apply the principle of least privilege rigorously. Ensure standard users do not have local administrator rights. A privilege escalation vulnerability is significantly less useful if the account being escalated from has limited access to begin with.
- Monitor for Microsoft’s security update channels and patch as soon as the fix is available. This one will not wait.
A Note on the Cisco SD-WAN Advisory
Cisco has updated its maximum-severity advisory to include an additional SD-WAN device. This advisory covers improper authentication vulnerabilities. If your business uses Cisco Catalyst SD-WAN appliances and you applied the original patch, check the updated advisory to confirm whether your specific hardware model is now included. If you have not patched at all, you should have. The NCSC published guidance on perimeter device patching cadence that makes the position clear. The fact that organisations are still running unpatched Cisco edge devices in 2026 tells you everything about patch management culture in too many UK businesses.
What Matters Today
Three actions, in priority order:
- Joomla JCE, Check and patch today if you run Joomla. No delay.
- Microsoft Teams C2 technique, Speak to your managed security provider about whether your monitoring covers internal behavioural anomalies, not just perimeter traffic.
- RoguePlanet, Apply least privilege now; watch for Microsoft’s patch and apply it immediately on release.
Hey, before the next story: if Threat Analysis is useful to you, follow the show wherever you listen so tomorrow’s briefing lands automatically, and pass it to someone who needs the heads-up.