Microsoft Disrupts Malware‑Signing‑as‑a‑Service Abuse of Azure Artifact Signing, Revokes 1,000 Fraudulent Certificates
What Happened – Microsoft’s Digital Crimes Unit, together with industry partners, shut down a “malware‑signing‑as‑a‑service” (MSaaS) operation run by the threat actor Fox Tempest. The group abused Azure Artifact Signing to issue more than 1,000 short‑lived code‑signing certificates, enabling ransomware and other malware to appear as trusted Microsoft‑signed binaries.
Why It Matters for TPRM –
- Abuse of a legitimate cloud‑signing platform creates a supply‑chain risk that can affect any downstream organization that trusts signed binaries.
- Hundreds of Azure tenants were leveraged, showing how attackers can hide malicious infrastructure within a trusted provider’s ecosystem.
- The signed payloads were used by multiple ransomware families (e.g., BlackByte, Qilin, INC), expanding the threat surface for vendors and their customers.
Who Is Affected – Cloud service providers, software vendors that rely on Microsoft code‑signing, enterprises that install signed third‑party applications, and any organization targeted by the listed ransomware families.
Recommended Actions –
- Review any third‑party software that is signed with Microsoft certificates; verify the signing authority and certificate provenance.
- Validate that your own code‑signing processes are not inadvertently using compromised Azure Artifact Signing resources.
- Update endpoint detection rules to flag binaries signed with recently revoked Microsoft certificates.
Technical Notes – The actors created hundreds of Azure subscriptions, uploaded malicious binaries to the signspace.cloud portal, and obtained short‑lived certificates via Azure Artifact Signing (formerly Trusted Signing). Signed malware impersonated legitimate tools such as Microsoft Teams, AnyDesk, PuTTY, and Webex. Microsoft revoked the certificates, seized the domain, and filed a civil suit in the Southern District of New York. Source: BleepingComputer