Microsoft's Digital Crimes Unit just pulled the plug on a criminal service that has been quietly making ransomware look like legitimate software for the past year. The operation, called Fox Tempest, sold fraudulent — but technically valid — Microsoft code-signing certificates to ransomware crews, who used them to disguise malware as familiar tools like Microsoft Teams, AnyDesk, Webex, and PuTTY. If your team has downloaded a 'Teams update' from a Google search result in the last twelve months, this story is about you.
What happened
On May 20, 2026, Microsoft said it disrupted a malware-signing-as-a-service (MSaaS) operation that weaponized the company's Artifact Signing system to deliver malicious code and conduct ransomware and other attacks, compromising thousands of machines and networks across the world. The operation, codenamed OpFauxSign, hit a group Microsoft tracks as Fox Tempest.
Fox Tempest's service was available through the website signspace[.]cloud, which enabled other threat actors to fraudulently obtain short-lived Microsoft-issued certificates that were valid for only 72 hours, obtained through Artifact Signing (previously named Azure Trusted Signing). Those short-life certificates from a trusted source allowed malware and ransomware to masquerade as legitimate software like AnyDesk, Teams, Putty, and Webex to bypass security controls, significantly increasing the likelihood of execution and successful delivery.
Microsoft's Digital Crimes Unit revoked more than 1,000 code-signing certificates connected to the scheme, unsealed a lawsuit in the Southern District of New York, seized the signspace[.]cloud domain that allegedly supported the malware-signing service, and additionally took hundreds of virtual machines offline as part of the enforcement action.
Why this matters for small businesses
Code signing is the digital seal of approval Windows uses to decide whether a downloaded program is safe. When a file is signed by a trusted publisher, Windows SmartScreen and most antivirus products treat it with less suspicion — sometimes none. Fox Tempest's whole business was selling that trust to criminals.
The operation was linked to numerous malware and ransomware campaigns involving Oyster, Lumma Stealer, Vidar, as well as the Rhysida, Akira, INC, Qilin, and BlackByte ransomware operations, with threat actors including Vanilla Tempest, Storm-0501, Storm-2561, and Storm-0249 using the signed malware in their attacks. Several of those — Akira, Qilin, Rhysida — are the same gangs hitting small and mid-sized businesses week after week on public leak sites.
The delivery method is what should worry every office manager: threat actors like Vanilla Tempest have been found to distribute binaries signed through the service via legitimately purchased advertisements that redirected users searching for Microsoft Teams to bogus download pages, paving the way for the deployment of Oyster, a modular implant and loader responsible for delivering Rhysida ransomware. In plain English: an employee Googles "download Microsoft Teams," clicks the top ad, gets a signed installer that looks perfect, and twelve hours later your file server is encrypted.
What your managed-IT provider should be doing this week
A takedown is good news, but Microsoft itself cautioned the cybercrime model isn't going away — attackers will rotate to the next signing scheme. Your MSP should already be doing the following, and if they're not, ask why:
1. **Application allowlisting or controlled installs.** End users should not be installing Teams, AnyDesk, Webex, or PuTTY from the open internet at all. Those tools should be deployed centrally through Microsoft 365, Intune, or your RMM — never by Googling and clicking. This is table-stakes inside York Computer's managed IT services lineup.
2. **DNS filtering and ad blocking at the network level.** Malvertising and SEO-poisoned search results are the front door for this attack. Filtering at the firewall or DNS layer cuts off most of it before the user even sees the fake download page.
3. **Don't treat "signed" as "safe."** Modern EDR should be evaluating certificate age, publisher reputation, and behavior — not just the presence of a signature. The threat actor abuses Microsoft Artifact Signing to generate short-lived, fraudulent code-signing certificates to appear legitimately signed, allowing malware to evade security controls. A 72-hour-old certificate from a publisher you've never seen before should be a red flag, not a green light.
4. **Patch your remote-access tools and verify what's installed.** If AnyDesk, ScreenConnect, or TeamViewer is on a machine and your MSP didn't put it there, treat it as hostile until proven otherwise.
5. **Tested, offline backups.** Every ransomware family named in the Fox Tempest case ends the same way: encrypted files and an extortion note. The only reliable answer is restoring from a backup the attacker can't reach.
What York Businesses Should Do
For York County offices that rely on Teams, Zoom, and remote-support tools every day, the practical takeaway is to lock down who installs what. If your current IT setup lets any employee download and run a signed installer off a Google ad, you have the same exposure as the businesses on this week's leak sites — and that's the gap York Computer closes for clients.
Sources
- Exposing Fox Tempest: A malware-signing service operation (Microsoft Security Blog)
- Microsoft Takes Down Malware-Signing Service Behind Ransomware Attacks (The Hacker News)
- Cybercrime service disrupted for abusing Microsoft platform to sign malware (BleepingComputer)
- Microsoft disrupts service helping ransomware gangs disguise malware (Axios)
- Microsoft Disrupts Malware Signing Service Used By Ransomware Groups (Windows Report)