Full Report
Microsoft on Tuesday said it disrupted a malware-signing-as-a-service (MSaaS) operation that weaponized the company's Artifact Signing system to deliver malicious code and conduct ransomware and other attacks, compromising thousands of machines and networks across the world. The tech giant attributed the activity to a threat actor it calls Fox Tempest, which it said offered the MSaaS scheme
Analysis Summary
# Incident Report: Disruption of Fox Tempest "SignSpace" MSaaS Operation
## Executive Summary
Microsoft disrupted a sophisticated Malware-Signing-as-a-Service (MSaaS) operation run by a threat actor known as Fox Tempest. The group weaponized Microsoft’s Artifact Signing system by using stolen identities to generate legitimate code-signing certificates for malicious software. This operation, codenamed "OpFauxSign," facilitated the delivery of ransomware (Rhysida, INC, Akira) and info-stealers (Lumma, Vidar) to thousands of machines globally by allowing malware to masquerade as trusted applications.
## Incident Details
- **Discovery Date:** Countermeasures initiated leading up to May 19, 2026
- **Incident Date:** Active since May 2025
- **Affected Organization:** Microsoft (Platform Abuse); thousands of downstream organizations
- **Sector:** Healthcare, Education, Government, and Financial Services
- **Geography:** Global (Targeting U.S., France, India, China; Infrastructure in Canada/U.S.)
## Timeline of Events
### Initial Access
- **Date/Time:** May 2025
- **Vector:** Fraudulent Enrolment / Stolen Identities
- **Details:** Fox Tempest used stolen identities from the U.S. and Canada to pass identity validation processes for Microsoft’s Artifact Signing (formerly Azure Trusted Signing).
### Lateral Movement
- **Details:** While not traditional internal lateral movement, the attackers scaled their operation in February 2026 by providing customers with pre-configured virtual machines (VMs) on Cloudzy to streamline the artifact upload and signing process.
### Data Exfiltration/Impact
- **Impact:** Compromise of thousands of networks via signed malware.
- **Details:** Malware-signed files masqueraded as legitimate software like AnyDesk, Microsoft Teams, PuTTY, and Cisco Webex to bypass EDR/AV security controls.
### Detection & Response
- **Detection:** Analysis of fraudulent Azure subscriptions and monitoring of "SignSpace" infrastructure.
- **Response Actions:** Taken on May 19, 2026:
- Seizure of the domain signspace[.]cloud.
- Shutdown of hundreds of virtual machines.
- Blocking of the underlying source code site.
- Revocation of fraudulent digital certificates.
## Attack Methodology
- **Initial Access:** Stolen identities/Verifiable Credentials (VC) to access Microsoft signing services.
- **Persistence:** Maintaining multiple Azure subscriptions and a structured database for "SignSpace" users.
- **Defense Evasion:** Use of short-lived (72-hour) legitimate code-signing certificates to make malware appear "trusted."
- **Credential Access:** Stolen identities used to masquerade as legitimate North American entities.
- **Lateral Movement:** Provisioning of attacker-controlled VMs (Cloudzy) to customers for "hands-off" malware generation.
- **Impact:** Delivery of Rhysida and BlackByte ransomware via signed loaders (Oyster/Broomstick).
## Impact Assessment
- **Financial:** Service fees charged by Fox Tempest ranged from $5,000 to $9,000 per customer.
- **Data Breach:** Facilitated massive data theft through info-stealers (Lumma, Vidar).
- **Operational:** High disruption across healthcare and government sectors via ransomware.
- **Reputational:** Abuse of "Microsoft Official" signing trust to bypass security software.
## Indicators of Compromise
- **Network indicators:**
- signspace[.]cloud (Defanged)
- Infrastructure hosted on Cloudzy
- **File indicators:**
- Binaries signed with 72-hour short-lived certificates.
- Signed versions of Oyster (Broomstick) and CleanUpLoader.
- **Behavioral indicators:**
- Malvertising campaigns redirecting to fake download pages for Microsoft Teams.
## Response Actions
- **Containment:** Domain seizure and VM shutdown (OpFauxSign).
- **Eradication:** Blocking the threat actor’s access to Microsoft Artifact Signing and disabling fraudulent accounts.
- **Recovery:** Revocation of valid certificates used by various ransomware affiliates (Vanilla Tempest, etc.).
## Lessons Learned
- **Key Takeaways:** Even high-trust systems like managed code-signing can be subverted if the identity verification layer is bypassed with stolen credentials.
- **Vulnerabilities:** Short-lived certificates can effectively bypass revocation checks if the attack window is narrow.
## Recommendations
- **Rigorous Identity Verification:** Implement enhanced telemetry and anomaly detection during the Artifact Signing onboarding process.
- **Certificate Awareness:** Security teams should monitor for uncommon short-lived certificates, even if they appear to have a valid chain of trust.
- **Ad-Blocking & User Training:** Enforce content filtering to prevent users from clicking on "Legitimate Advertisements" that lead to fake software download sites—a primary delivery vector for this signed malware.