Corporate conference calls just got a lot harder to trust: new research shows attackers can hijack Microsoft Teams and Zoom’s TURN infrastructure to covertly tunnel command-and-control traffic, blending in with normal WebRTC media flows and slipping past enterprise defenses without exploiting a patchable bug. The post‑exploitation technique—dubbed “Ghost Calls”—relies on temporary TURN credentials issued when a client joins a meeting, then repurposes those credentials to route attacker traffic through the platforms’ own globally distributed media relays and trusted IP ranges. Because the traffic looks like everyday video meetings, it often rides clean through firewalls, proxies, and TLS inspection.
Ghost Calls is not a vulnerability in Microsoft Teams or Zoom; it’s a clever abuse of how real‑time collaboration actually works on the modern internet. Both products use WebRTC’s NAT traversal stack—STUN and TURN—to broker audio/video across restrictive networks. TURN relays media when peer‑to‑peer isn’t possible, and its design is standardized by the IETF (RFC 8656). That same design can be repurposed: if an attacker acquires valid TURN credentials from a meeting session, they can spin up an encrypted tunnel that rides those relays, making malicious C2 traffic indistinguishable from legitimate meeting data.
Security researchers at Praetorian detailed how Ghost Calls hijacks temporary TURN credentials and then stands up a tunnel between a compromised Windows host and an operator system. They demonstrated the approach using a controller/relay toolchain to proxy arbitrary traffic over TURN—an approach highlighted at Black Hat USA 2025 and reported by multiple outlets. Importantly, there’s no CVE to fix here; the researchers urge vendors to add safeguards rather than ship a traditional patch. (techradar.com, scworld.com)
The bottom line: Ghost Calls doesn’t break Teams or Zoom—it piggybacks on them. Until collaboration platforms expose stronger policy and telemetry hooks, Windows admins should assume TURN relays can be repurposed and instrument their networks accordingly.
Source: TechRadar Microsoft Teams and Zoom can be hijacked to give hackers the keys to your kingdom
Overview
Ghost Calls is not a vulnerability in Microsoft Teams or Zoom; it’s a clever abuse of how real‑time collaboration actually works on the modern internet. Both products use WebRTC’s NAT traversal stack—STUN and TURN—to broker audio/video across restrictive networks. TURN relays media when peer‑to‑peer isn’t possible, and its design is standardized by the IETF (RFC 8656). That same design can be repurposed: if an attacker acquires valid TURN credentials from a meeting session, they can spin up an encrypted tunnel that rides those relays, making malicious C2 traffic indistinguishable from legitimate meeting data. Security researchers at Praetorian detailed how Ghost Calls hijacks temporary TURN credentials and then stands up a tunnel between a compromised Windows host and an operator system. They demonstrated the approach using a controller/relay toolchain to proxy arbitrary traffic over TURN—an approach highlighted at Black Hat USA 2025 and reported by multiple outlets. Importantly, there’s no CVE to fix here; the researchers urge vendors to add safeguards rather than ship a traditional patch. (techradar.com, scworld.com)
Why Microsoft Teams and Zoom traffic is the perfect camouflage
- Enterprises routinely allow and even prioritize traffic to conferencing services, often whitelisting vendor IP ranges and domains to keep meetings stable and low‑latency. Teams explicitly relies on UDP 3478–3481 (STUN/TURN/media) and TCP/443; Zoom similarly uses UDP 3478/3479 and wide UDP media ranges alongside TCP/443. Ghost Calls deliberately blends into these allowed flows. (learn.microsoft.com, support.zoom.com)
- WebRTC media is encrypted end‑to‑end (SRTP/DTLS or TLS), which frustrates deep packet inspection and lets malicious data masquerade as audio/video packets. From a sensor’s perspective, it looks like a normal meeting that just lasts a bit longer—or happens when nobody is scheduled to meet.
- Because the relays belong to Microsoft/Zoom and sit on trusted networks, defenders don’t see traffic beaconing to suspicious C2 hosts; it’s “just more Teams/Zoom.” That dynamic is exactly what Ghost Calls exploits.
How Ghost Calls works (at a high level)
- Post‑exploitation foothold: The attacker already has code execution on a Windows endpoint. Ghost Calls is an evasion and persistence channel, not an initial access vector.
- TURN credential hijacking: When Teams/Zoom joins a meeting, it receives time‑boxed TURN credentials for relay access. Attackers extract or intercept those temporary credentials on the compromised host. Reports note multi‑day expirations in some cases, extending the tunnel’s usefulness, though lifetimes vary by provider configuration.
- Covert tunnel creation: Using the stolen credentials, the attacker’s relay component connects to the conferencing provider’s TURN servers and establishes a bi‑directional data channel back to an attacker‑controlled controller (often via a SOCKS proxy), enabling C2, port forwarding, and data exfiltration—all inside “meeting” traffic.
The protocol backdrop: what TURN enables
TURN—Traversal Using Relays around NAT—is a standards‑track protocol that lets clients behind NAT/firewalls communicate via a relay that allocates a public address and forwards packets. It’s commonly invoked by ICE when direct paths fail. Allocations are authenticated and time‑limited, and the server maintains state (permissions, channel bindings, time‑to‑expiry). Ghost Calls leans on these normal features to move attacker traffic over the same relays used for meetings.Strengths of the technique
- Stealth by design: Traffic sources and destinations are “known good” vendor networks; content is encrypted and timing mimics meetings.
- Reliability and speed: Enterprise relays are globally distributed and engineered for low latency; the tunnel is fast enough for interactive C2 and even VNC.
- Reduced exposure: Operators avoid standing up attacker infrastructure that defenders can sinkhole or enumerate.
Real‑world validation
Coverage from SC Media notes Praetorian’s custom open‑source “TURNt” utility using a Controller (SOCKS proxy) and a Relay on the victim, illustrating practical tunneling and data exfiltration over Teams/Zoom TURN. Neither Microsoft nor Zoom had announced specific countermeasures at publication.Weaknesses and practical limits
- Credential lifetimes: TURN allocations expire. Reports indicate some platforms issue credentials that last on the order of days, but they’re still finite and may be scoped. This constrains “always‑on” persistence unless the attacker can continually harvest fresh tokens. Treat any multi‑day claim as environment‑dependent.
- Session correlation: If defenders correlate meeting records with network flows, “ghost” relay traffic without a corresponding call can stand out. Microsoft Graph’s callRecords API provides tenant‑wide telemetry to power such checks.
- Network policy variance: Some enterprises strictly pin TURN/Media edges to provider IP ranges and aggressively log UDP/DTLS handshakes, creating breadcrumbs for blue teams. (learn.microsoft.com, support.zoom.com)
What Windows admins should do now
Ghost Calls turns collaboration networks into covert channels. You won’t beat it with signature‑based detections alone; favor behavioral controls, identity‑aware correlation, and strict egress hygiene.1) Lock down egress with precision
- Replace broad allowlists with IP‑range pinning for Teams/Zoom media and TURN, using vendor‑published ranges rather than wildcard domains. For Teams, ensure you explicitly scope UDP 3478–3481 and relevant media ranges to Microsoft 52.112.0.0/14 infrastructure. For Zoom, scope UDP/TCP to the documented ranges and ports (e.g., UDP 3478/3479 and 20000–64000; TCP 443/5091) and avoid blanket “*.zoom.us” if you can. (learn.microsoft.com, support.zoom.com)
- Create program‑scoped Windows Defender Firewall rules: allow Teams/Zoom executables to the vendor media IP ranges and block other processes from opening UDP flows to those same ranges. This prevents arbitrary binaries from “borrowing” your collaboration egress.
2) Correlate meetings with network telemetry
- Use Microsoft Graph callRecords to subscribe to meeting completions and pull call session metadata (participants, start/stop, modality). Flag any sustained TURN/DTLS flows to Teams media IPs without a corresponding call record in the last N minutes. This “meeting‑to‑media” join is painful but powerful.
3) Watch the edges for TURN/DTLS anomalies
- Instrument your egress points to log STUN/TURN message types and DTLS handshakes on UDP 3478–3481 and 443. Alert on long‑lived channels outside business hours or on machines that aren’t heavy meeting users (e.g., servers).
4) Harden endpoints
- Enforce Application Control (AppLocker/WDAC) so only sanctioned clients can load WebRTC stacks or open raw UDP sockets to conferencing IP ranges. Pair with EDR rules for suspicious child processes of Teams or Zoom (e.g., shell or tunneling tools).
- Treat initial access aggressively: Ghost Calls is post‑exploitation. Blocking social‑engineering vectors into Teams (external federation, unmanaged guest access) reduces the chance of an attacker ever reaching the point where a covert relay helps.
What Microsoft and Zoom could change
There’s no single “patch,” but vendors can blunt Ghost Calls without breaking meetings:- Bind TURN credentials to meeting context and device identity, limiting reuse outside the issuing session or host fingerprint.
- Shorten credential lifetimes and reduce scope; require periodic re‑auth for long sessions.
- Add relay‑side heuristics to detect non‑media payload patterns and clamp down on generic data tunneling over media relays—carefully, to avoid harming accessibility features and screen sharing.
- Offer enterprise policy hooks to restrict TURN usage to managed devices or to enforce per‑tenant relay regions for better anomaly baselining.
Risk outlook for Windows enterprises
- High likelihood of evasion success in environments that broadly trust collaboration egress and lack meeting‑to‑network correlation.
- Impact ranges from stealthy C2 and data exfiltration to lateral movement facilitated by a low‑latency, vendor‑hosted tunnel.
- Detection is feasible with the right signals: meeting telemetry, process‑scoped egress controls, and TURN/DTLS monitoring at the perimeter.
Appendix: quick reference for media/relay networking
- Microsoft Teams media/TURN: ICE‑based; UDP 3478–3481 and TCP/443 to Microsoft media IPs (notably 52.112.0.0/14 for transport relays).
- Zoom media/TURN: UDP 3478/3479 and wide UDP media ranges; TCP 443/5091 to documented Zoom IP ranges.
The bottom line: Ghost Calls doesn’t break Teams or Zoom—it piggybacks on them. Until collaboration platforms expose stronger policy and telemetry hooks, Windows admins should assume TURN relays can be repurposed and instrument their networks accordingly.
Source: TechRadar Microsoft Teams and Zoom can be hijacked to give hackers the keys to your kingdom