HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Microsoft Disrupts Malware‑Signing‑as‑a‑Service Abuse of Azure Artifact Signing, Revokes 1,000 Fraudulent Certificates

Microsoft’s Digital Crimes Unit dismantled a Fox Tempest‑run service that leveraged Azure Artifact Signing to issue over 1,000 fraudulent code‑signing certificates. The signed malware was used by multiple ransomware groups, creating a supply‑chain risk for any organization that trusts Microsoft‑signed binaries.

LiveThreat™ Intelligence · 📅 May 20, 2026· 📰 bleepingcomputer.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
3 recommended
📰
Source
bleepingcomputer.com

Microsoft Disrupts Malware‑Signing‑as‑a‑Service Abuse of Azure Artifact Signing, Revokes 1,000 Fraudulent Certificates

What Happened – Microsoft’s Digital Crimes Unit, together with industry partners, shut down a “malware‑signing‑as‑a‑service” (MSaaS) operation run by the threat actor Fox Tempest. The group abused Azure Artifact Signing to issue more than 1,000 short‑lived code‑signing certificates, enabling ransomware and other malware to appear as trusted Microsoft‑signed binaries.

Why It Matters for TPRM

  • Abuse of a legitimate cloud‑signing platform creates a supply‑chain risk that can affect any downstream organization that trusts signed binaries.
  • Hundreds of Azure tenants were leveraged, showing how attackers can hide malicious infrastructure within a trusted provider’s ecosystem.
  • The signed payloads were used by multiple ransomware families (e.g., BlackByte, Qilin, INC), expanding the threat surface for vendors and their customers.

Who Is Affected – Cloud service providers, software vendors that rely on Microsoft code‑signing, enterprises that install signed third‑party applications, and any organization targeted by the listed ransomware families.

Recommended Actions

  • Review any third‑party software that is signed with Microsoft certificates; verify the signing authority and certificate provenance.
  • Validate that your own code‑signing processes are not inadvertently using compromised Azure Artifact Signing resources.
  • Update endpoint detection rules to flag binaries signed with recently revoked Microsoft certificates.

Technical Notes – The actors created hundreds of Azure subscriptions, uploaded malicious binaries to the signspace.cloud portal, and obtained short‑lived certificates via Azure Artifact Signing (formerly Trusted Signing). Signed malware impersonated legitimate tools such as Microsoft Teams, AnyDesk, PuTTY, and Webex. Microsoft revoked the certificates, seized the domain, and filed a civil suit in the Southern District of New York. Source: BleepingComputer

📰 Original Source
https://www.bleepingcomputer.com/news/security/cybercrime-service-disrupted-for-abusing-microsoft-platform-to-sign-malware/

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Vendor Risk Hub

This is the scenario continuous vendor monitoring is built to catch.

When a vendor is compromised, your SOC 2 vendor-management controls are what produce the audit trail showing you knew, assessed, and acted. The Verisq AI Trust Operations platform tracks that continuously.

Explore the Verisq AI Trust Operations platform →