Full Report
The company unsealed a legal case in U.S. District Court on Tuesday detailing the disruption of Fox Tempest — a popular service that has operated since May 2025 and provides cybercriminals with code signing tools.
Analysis Summary
# Incident Report: Disruption of Fox Tempest Malware-Signing-as-a-Service (MSaaS)
## Executive Summary
Microsoft’s Digital Crimes Unit successfully disrupted Fox Tempest, a sophisticated "Malware-Signing-as-a-Service" operation that enabled ransomware groups to bypass security defenses by legitimizing malicious code. The group abused Microsoft’s Artifact Signing infrastructure to issue over 1,000 fraudulent certificates used by major ransomware affiliates including Rhysida, Qilin, and Akira. The disruption involved seizing web domains, taking down hundreds of virtual machines, and revoking all fraudulent certificates.
## Incident Details
- **Discovery Date:** Pre-May 2026 (During Microsoft investigation)
- **Incident Date:** May 2025 – May 2026
- **Affected Organization:** Microsoft (Infrastructure abuse); Global entities (Targeted by clients)
- **Sector:** Information Technology / Cyber Security
- **Geography:** Global (Operations based in U.S. District Court jurisdiction; Victims in U.S., China, France, and India)
## Timeline of Events
### Initial Access
- **Date/Time:** May 2025
- **Vector:** Abuse of Microsoft Artifact Signing
- **Details:** Fox Tempest established hundreds of fraudulent Azure tenants and subscriptions to gain access to code-signing tools intended for legitimate software verification.
### Lateral Movement
- **N/A:** As a service provider, Fox Tempest focused on "vertical" abuse of cloud infrastructure to facilitate third-party attacks rather than traditional network pivoting.
### Data Exfiltration/Impact
- **Malware Delivery:** Signed malware (Oyster, Lumma Stealer, Vidar) was distributed via SEO poisoning and malicious advertisements.
- **Ransomware Deployment:** Affiliates (Rhysida, INC, Qilin, Akira) utilized the signed malware to gain initial footholds for ransomware attacks.
- **Scale:** Thousands of machines infected globally across multiple sectors.
### Detection & Response
- **Discovery:** Microsoft security officials identified patterns of fraudulent certificates originating from specific Azure tenants.
- **Response Actions:** On Tuesday, May 19, 2026, Microsoft unsealed a legal case, seized the Fox Tempest website, deactivated hundreds of VMs, and blocked the underlying source code hosting.
## Attack Methodology
- **Initial Access:** Fraudulent creation of Azure tenants and subscriptions.
- **Persistence:** Maintaining hundreds of independent cloud subscriptions to avoid total account suspension.
- **Defense Evasion:** Use of short-lived, trusted certificates to bypass AV/EDR "untrusted bin" blocks; masquerading as legitimate software (AnyDesk, Teams, Putty, Webex).
- **Lateral Movement:** Executed by Fox Tempest "clients" (ransomware gangs) once the signed malware bypassed perimeter security.
- **Exfiltration:** Facilitated through info-stealers like Vidar and Lumma Stealer.
- **Impact:** Legitimizing malware to "hide in plain sight," undermining the global trust in digital code signing.
## Impact Assessment
- **Financial:** Fox Tempest generated millions of dollars in cryptocurrency revenue; victim costs likely exceed hundreds of millions in ransomware damages.
- **Data Breach:** Compromise of thousands of corporate networks globally.
- **Operational:** Disruption of business operations for organizations targeted by Fox Tempest-signed malware.
- **Reputational:** Significant erosion of trust in automated certificate verification systems.
## Indicators of Compromise
- **Network Indicators:** Fraudulent domains masquerading as `anydesk[.]com`, `teams[.]com`, `putty[.]org`, and `webex[.]com` (Specific defanged URLs not provided in text).
- **File Indicators:** Over 1,000 revoked code-signing certificates attributed to Fox Tempest Azure tenants.
- **Behavioral Indicators:** High-frequency creation of Azure subscriptions followed by immediate Artifact Signing requests for known malware families (Oyster, Lumma).
## Response Actions
- **Containment:** Revocation of 1,000+ fraudulent code-signing certificates.
- **Eradication:** Seizure of the Fox Tempest command-and-control website and hosting infrastructure.
- **Recovery:** Taking hundreds of malicious virtual machines offline to halt ongoing signing operations.
## Lessons Learned
- **The "Service" Shift:** Cybercriminals are willing to pay high premiums (thousands of dollars) for specialized services like MSaaS that guarantee higher success rates.
- **Trust as a Vulnerability:** Automated security checks that rely solely on certificate validity are increasingly susceptible to well-resourced actors who can "buy" legitimacy.
- **Cloud Abuse:** Fraudulent tenant creation in major cloud providers remains a primary entry point for large-scale criminal infrastructure.
## Recommendations
- **Certificate Inspection:** Security teams should not treat "Signed" as "Safe." Implement inspection of certificate metadata (e.g., age of certificate, issuing tenant reputation).
- **Application Control:** Enforce strict application whitelisting and monitor for unusual software distribution sources, even if the binary appears signed.
- **Cloud Governance:** Cloud providers should implement more rigorous identity verification for Artifact Signing features to prevent automated bulk abuse.