Microsoft Disrupts Ransomware Campaign Abusing Azure Certificates
Summary
Microsoft revoked more than 200 code-signing certificates issued via Azure Trusted Signing after attackers used fake Microsoft Teams installers signed with those certificates to drop an “Oyster” backdoor and ultimately deploy Rhysida ransomware. The campaign, attributed to the group tracked as Vanilla Tempest (aka Vice Society), relied on malicious domains mimicking Teams and search-engine optimisation (SEO) poisoning to lure victims. Attackers also used certificates from SSL.com, DigiCert and GlobalSign; Microsoft did not appear to request revocations from those other CAs in its public post.
Key Points
- Microsoft revoked 200+ Azure Trusted Signing certificates that were abused to sign fake MSTeamsSetup.exe installers.
- The malicious installers deployed an Oyster backdoor used to stage Rhysida ransomware across victim networks.
- Vanilla Tempest (Vice Society) used SEO poisoning and lookalike download domains to distribute the fake Teams binaries.
- Attackers also obtained code-signing certificates from SSL.com, DigiCert and GlobalSign to make malware appear legitimate.
- It remains unclear how the attackers acquired Trusted Signing certificates; other CAs say they will investigate if notified.
Content Summary
The Dark Reading piece covers Microsoft Threat Intelligence’s action to disrupt a ransomware campaign by revoking abused Azure Trusted Signing certificates. Signed malware bypassed many controls by appearing as legitimately signed Microsoft software. Microsoft linked the campaign to Vanilla Tempest and outlined how fake installers were hosted on domains mimicking Microsoft Teams. The article includes reactions from DigiCert and GlobalSign, which said they would investigate misuse when provided credible intelligence; SSL.com had not responded at press time.
Context and Relevance
Abuse of valid code-signing certificates is an escalating threat because signatures confer trust and can neutralise signature-based defences. This incident highlights risks around managed signing services and the need for organisations to monitor certificate issuance, validate download sources, and harden detection against signed-but-malicious binaries. It also shows that platform-level disruption (Microsoft revoking certs) helps, but industry coordination between certificate authorities is critical to fully contain such campaigns.
Why should I read this?
Quick and practical — if you look after Windows endpoints, Azure, or software supply chains, this story tells you how attackers are making malware look genuine and what Microsoft did about it. Read it to check your cert issuance logs, verify download sources, and tighten code-signing and endpoint defences. We saved you the slog: know the tactic, act on the controls.