Microsoft’s Digital Crimes Unit has disrupted Fox Tempest, a cybercriminal operation that charged $5,000–$9,000 for temporary Microsoft-signed malware certificates by exploiting the company’s own Azure Artifact Signing platform, providing ransomware groups and infostealer operators with a reliable path around Windows security checks at scale.
How Fox Tempest Turned Azure Artifact Signing Into a Malware Pipeline
Fox Tempest operated its Malware-Signing-as-a-Service platform at the domain signspace[.]cloud, with pricing ranging from $5,000 to $9,000 per engagement. The operation abused Azure Artifact Signing — a legitimate cloud-based code-signing platform Microsoft launched in 2024 — by systematically creating hundreds of Azure tenants and subscriptions to generate code-signing certificates in bulk. Each certificate carried a 72-hour validity window, long enough to sign a payload and run an attack campaign before the certificate expired and its usefulness was exhausted.
The technique turned Microsoft’s own infrastructure against its endpoint security ecosystem. Signed code is presumed trustworthy by Windows Defender and enterprise endpoint protection tools by default. By supplying ransomware operators and infostealer developers with valid Microsoft-issued signatures, Fox Tempest gave its customers a consistent mechanism for bypassing signature-based detection that would otherwise flag their payloads.
Ransomware Families and Infostealers That Used the Signing Service
Malware distributed through Fox Tempest’s service included the Oyster backdoor, Lumma Stealer, Vidar, and ransomware variants from the Rhysida, Akira, INC, Qilin, and BlackByte families. The signed files were packaged to impersonate legitimate software including Microsoft Teams and AnyDesk — lures designed to exploit the trust users extend to familiar brand names and the trust Windows places in properly signed executables.
How Fox Tempest Bypassed Azure Account Identity Verification
Fox Tempest reportedly used stolen identities sourced from the United States and Canada to pass the identity verification requirements Microsoft imposes when creating Azure accounts. Using fraudulently obtained identities allowed the group to generate hundreds of tenants and subscriptions without triggering account-level blocks, sustaining the certificate issuance pipeline long enough to produce more than one thousand fraudulent code-signing certificates.
Microsoft’s Seizure, Certificate Revocations, and Federal Lawsuit
Microsoft’s enforcement combined technical takedown with legal action. The company seized the signspace[.]cloud domain, took hundreds of Fox Tempest virtual machines offline, and revoked all fraudulent code-signing certificates. The revocations break the trust chain for every malware binary signed through the service, rendering previously signed payloads untrusted on updated Windows systems.
Microsoft simultaneously filed a federal civil lawsuit against Fox Tempest in the Southern District of New York. The civil litigation approach follows the company’s established playbook against cybercrime infrastructure operators — Microsoft used the same legal strategy against Cobalt Strike abusers and the Storm-1152 crime group in prior enforcement actions.
Code-Signing Abuse as a Commoditized Evasion Technique
Code-signing certificate abuse has grown as endpoint security tools have become more effective at blocking unsigned or dubiously-signed executables. Fox Tempest commoditized that evasion by offering short-validity certificates at scale — 72-hour windows limited the exposure of any individual certificate while keeping the signing pipeline continuously active. The disruption removes a shared infrastructure dependency for several active ransomware families, but the underlying technique of registering fraudulent tenants on legitimate cloud code-signing services remains viable as long as identity verification processes can be defeated with stolen credentials.
