Microsoft Dismants Fox Tempest Malware‑Signing‑as‑a‑Service, Halting Over 1,000 Fraudulent Code‑Signing Certificates
What Happened – Microsoft’s Digital Crimes Unit, together with industry partners, seized the infrastructure of the Fox Tempest operation—a “malware‑signing‑as‑a‑service” (MSaaS) platform that issued short‑lived, trusted‑looking code‑signing certificates to ransomware and other malware families. More than 1,000 fraudulent certificates and hundreds of Azure tenants were revoked or taken down.
Why It Matters for TPRM –
- Supply‑chain abuse of trusted signing authorities can legitimize malicious binaries, bypassing many endpoint defenses.
- Third‑party cloud services (e.g., Azure) can be weaponised, exposing your vendors to indirect compromise.
- The takedown demonstrates that legal pressure and coordinated takedown can quickly neutralise a high‑impact service.
Who Is Affected – Healthcare, Education, Government, Financial Services and any other sectors that received malware signed through the Fox Tempest service.
Recommended Actions –
- Review any third‑party code‑signing or certificate‑management services used by your organization.
- Verify that all code‑signing certificates in use are issued by trusted, verifiable CAs and have proper lifecycle controls.
- Incorporate supply‑chain threat‑intel feeds (e.g., Microsoft’s MSaaS watchlist) into your vendor risk monitoring.
Technical Notes – The operation abused Microsoft Artifact Signing, creating short‑lived certificates that were used by ransomware families such as Rhysida, Oyster, Lumma Stealer, and Vidar. Attack vectors included malvertising, SEO poisoning, and fake ads. Microsoft revoked >1,000 certificates and tightened verification processes for signing requests. Source: Security Affairs