Microsoft platform abuse used in cybercrime service takedown

Microsoft has taken down a malware-signing-as-a-service (MSaaS) platform that exploited its own Azure Artifact Signing service to issue fraudulent code-signing certificates for ransomware groups and other cybercriminals. The tech giant announced the disruption of an operation linked to a threat actor it tracks as Fox Tempest, which generated more than 1,000 certificates and hundreds of Azure tenants and subscriptions to facilitate the scheme.

According to a report from Microsoft Threat Intelligence, Fox Tempest leveraged the Microsoft Artifact Signing platform,a cloud-based service launched in 2024 to help developers digitally sign their programs,to create short-lived certificates. These certificates made malicious software appear trustworthy to both users and operating systems, bypassing security controls. The financially motivated actor produced over 1,000 certificates and established hundreds of Azure accounts to support its operations.

Microsoft’s Digital Crimes Unit (DCU), with help from industry partners, disrupted the MSaaS offering in May 2026 by targeting its infrastructure and access model. The company seized the domain signspace[.]cloud, which hosted the service, took hundreds of associated virtual machines offline, and blocked access to infrastructure supporting the cybercrime platform. The domain now redirects to a Microsoft-controlled site explaining the seizure as part of a lawsuit filed in the U. S. District Court for the Southern District of New York.

The operation was tied to numerous malware and ransomware campaigns, including Oyster, Lumma Stealer, Vidar, and ransomware strains like Rhysida, Akira, INC, Qilin, and BlackByte. Threat actors such as Vanilla Tempest (associated with INC Ransomware), Storm-0501, Storm-2561, and Storm-0249 used the signed malware in their attacks. Microsoft named Vanilla Tempest as a co-conspirator in the legal action, alleging the group distributed malware and ransomware to organizations worldwide via the service.

The MSaaS platform operated through signspace[.]cloud, allowing cybercriminal customers to upload malicious files for code-signing with fraudulently obtained certificates. These signed files were then disguised as legitimate software like Microsoft Teams, AnyDesk, PuTTY, and Webex. For instance, fake Microsoft Teams installer files delivered a malicious loader that deployed the signed Oyster malware, ultimately leading to Rhysida ransomware infections. Because the certificates came from Microsoft’s Artifact Signing service, Windows initially trusted the malware, avoiding detection.

Microsoft believes Fox Tempest used stolen identities from the United States and Canada to pass identity verification requirements for Artifact Signing. The certificates were valid for only 72 hours to minimize detection risk. BleepingComputer previously reported in March 2025 on threat actors abusing Microsoft’s Trusted Signing service to sign malware in campaigns like Crazy Evil Traffers and Lumma Stealer, though it’s unclear if those were linked to Fox Tempest.

Earlier this year, Fox Tempest evolved its operation by offering customers pre-configured virtual machines hosted through Cloudzy infrastructure. Clients uploaded malware to these environments and received signed binaries using Fox Tempest-controlled certificates. The service was promoted on a Telegram channel named “EV Certs for Sale by SamCodeSign,” with access priced between $5,000 and $9,000 in bitcoin. Microsoft says the operation generated millions of dollars in profits, highlighting the group’s resources in managing infrastructure, customer relations, and financial transactions.