Microsoft’s Digital Crimes Unit (DCU), in collaboration with security firm Resecurity, has disrupted a sophisticated criminal operation known as Fox Tempest — a financially motivated threat actor that operated a full-scale malware-signing-as-a-service (MSaaS) platform by abusing Microsoft’s own Artifact Signing infrastructure. The operation enabled cybercriminals to distribute malware that appeared digitally trusted, helping them bypass enterprise security controls. More than 1,000 fraudulent certificates linked to the operation have been revoked.
Abusing the Trust That Defenders Rely On
Fox Tempest leveraged Microsoft’s Artifact Signing service (formerly known as Azure Trusted Signing) to obtain short-lived code-signing certificates valid for up to 72 hours. These certificates allowed attackers to sign malicious binaries so that they appeared as trusted applications to both users and security software.
Spoofed applications included well-known and trusted software brands:
- Microsoft Teams
- AnyDesk
- PuTTY
- Cisco Webex
To obtain these certificates, the threat actor used stolen or synthetic identities from the United States and Canada to pass Microsoft’s identity verification process. The operation was facilitated through a now-defunct platform, signspace[.]cloud, which offered a commercial interface allowing customers to upload malicious files and receive back digitally signed binaries, ready to deploy.
Ransomware Supply Chain Enabler
Microsoft Threat Intelligence has tracked Fox Tempest since September 2025, identifying it as a key enabler within the broader ransomware ecosystem rather than a direct attacker. The group created hundreds of Azure tenants and subscriptions to support their operations and issued thousands of certificates at scale.
The service was used by some of the most active ransomware and malware groups currently operating:
- Vanilla Tempest — deployed Rhysida ransomware using Fox Tempest-signed loaders
- Storm-0501 and Storm-2561 — used signed Lumma Stealer and Vidar infostealer binaries
- Storm-0249 — distributed the Oyster (Broomstick) backdoor via signed fake Microsoft Teams installers through malvertising campaigns
Cryptocurrency analysis linked Fox Tempest to ransomware affiliates operating the Qilin, Akira, and INC ransomware families, with estimated revenues reaching millions of dollars.
Commercial Pricing Model
Fox Tempest operated as an openly commercial service on criminal markets. Customers paid between $5,000 and $9,000 for malware-signing services, with access managed through Telegram channels and online sign-up forms. Higher-paying customers received priority processing. The service significantly lowered the barrier to entry for less sophisticated ransomware affiliates that lacked the technical capability to obtain trusted code-signing certificates on their own.
In early 2026, Fox Tempest evolved its infrastructure by offering pre-configured virtual machines (VMs) hosted on third-party providers. These VMs enabled customers to upload payloads into controlled environments where automated scripts handled the signing process end-to-end, improving both operational security and turnaround time.
The Takedown
Microsoft’s DCU, working alongside Resecurity, disrupted Fox Tempest’s infrastructure in May 2026, seizing and taking down the signspace[.]cloud platform and revoking all certificates identified as fraudulently obtained. The revocation of more than 1,000 certificates means all previously signed malware binaries now fail certificate validation checks.
Known indicators of compromise include the domain signspace[.]cloud and the following certificate fingerprints (SHA-1):
dc0acb01e3086ea8a9cb144a5f97810d291020ce7e6d9dac619c04ae1b3c8c0906123e752ed66d63
Recommendations for Organizations
The Fox Tempest disruption highlights the inherent risk of relying solely on digital signature trust as a security control. Microsoft has outlined the following defensive measures organizations should implement:
- Enable cloud-delivered protection and real-time scanning in endpoint security solutions to detect malware even when it carries a valid signature
- Deploy Microsoft Defender SmartScreen to block malicious downloads and untrusted websites
- Enforce tamper protection to prevent threat actors from disabling security tools after initial access
- Use Attack Surface Reduction (ASR) rules to block common techniques used to execute signed malware
- Monitor for short-lived certificate activity and flag binaries signed by certificates with unusually brief validity windows
The takedown of Fox Tempest represents a significant disruption to the ransomware supply chain. By targeting the trusted signing service rather than individual attackers, the operation removes a critical capability used by multiple ransomware groups simultaneously. However, the incident reinforces a fundamental truth: legitimate cloud services and trust mechanisms will continue to be abused as long as they can lower the cost and complexity of malware distribution for criminal actors.