Cybercriminals are exploiting Microsoft’s Trusted Signing platform to code-sign malicious executables using short-lived, three-day certificates. This allows malware to bypass security filters and appear legitimate. The attackers are leveraging the “Microsoft ID Verified CS EOC CA 01” certificate, which expires after three days but remains valid until revoked.
How the Attack Works
Threat actors have long sought code-signing certificates to make malware appear legitimate. Signed malware can bypass security measures that block unsigned executables. While Extended Validation (EV) certificates offer the highest trust level, they are difficult and expensive to obtain legitimately. This new method provides a simpler, albeit shorter-lived, alternative.
The Microsoft Trusted Signing service, launched in 2024, offers a cloud-based solution for developers to easily obtain code-signing certificates. It uses short-lived certificates to mitigate abuse and enhance security. Microsoft states that certificates issued through this service provide a similar SmartScreen reputation boost to those signed by its own service.
A quote from their FAQ highlights this: “A Trusted Signing signature ensures that your application is trusted by providing base reputation on smart screen, user mode trust on Windows, and integrity check signature validation compliant.”
However, this ease of access is being exploited. The three-day certificate lifespan, while intended as a security measure, allows for rapid deployment and evasion before revocation. Researchers have observed this technique used in several malware campaigns, including the Crazy Evil Traffers crypto-theft campaign and the Lumma Stealer campaign.
Why the Shift to Microsoft’s Service?
Security researcher ‘Squiblydoo’ suggests that the shift towards Microsoft’s service is due to convenience.
They stated: “I think there are a few reasons for the change. For a long time, using EV certificates has been the standard, but Microsoft has announced changes to EV certificates…However, the changes to EV certificates really aren’t clear to anyone: not certificate providers, not attackers. However, due to these potential changes and lack of clarity, just having a code-signing certificate may be adequate for attacker needs. In this regard, the verification process for Microsoft’s certificates is substantially easier than the verification process for EV certificates: due to the ambiguity over EV certificates, it makes sense to use the Microsoft certificates.”
Microsoft’s Response
Microsoft acknowledges the abuse and states that they employ threat intelligence monitoring to identify and revoke misused certificates.
“We use active threat intelligence monitoring to constantly look for any misuse or abuse of our signing service. When we detect threats we immediately mitigate with actions such as broad certificate revocation and account suspension. The malware samples you shared are detected by our antimalware products and we have already taken action to revoke the certificates and prevent further account abuse.”
A Microsoft spokesperson stated.
To further prevent abuse, Microsoft currently limits certificate issuance under company names to those businesses operating for at least three years. Individuals can obtain certificates more easily, but under their own names.
