Microsoft disrupts Fox Tempest

Microsoft said on May 19 that its Digital Crimes Unit disrupted Fox Tempest, a cybercrime service it says had helped ransomware operators and other threat actors make malware look like legitimate software since May 2025. The company said the service sold “malware-signing-as-a-service,” giving customers access to real code-signing certificates and to Microsoft’s Artifact Signing platform, formerly called Trusted Signing. Microsoft said it unsealed a legal case in the U.S. District Court for the Southern District of New York as part of the action, seized the signspace.cloud website and took hundreds of virtual machines offline. ### What did Fox Tempest actually sell? Microsoft said Fox Tempest sold trust, not just malware. In the company’s account, the service let criminal customers obtain signed executables, drivers and other files that would appear to security tools and users as if they came from a legitimate software publisher. TechRepublic and BleepingComputer, citing Microsoft, reported that Fox Tempest customers included ransomware and malware operators who wanted signed payloads to improve delivery and evade defenses. (blogs.microsoft.com) Microsoft said the operation functioned as a service business, with operators adapting their methods as Microsoft disabled accounts and revoked certificates. ### How was Microsoft’s own signing service involved? Microsoft said Fox Tempest fraudulently accessed and abused Artifact Signing, an Azure service designed to verify that software is legitimate and untampered with. Microsoft’s product page describes Artifact Signing as a managed service for signing code, documents and applications, while Microsoft Learn says it is an end-to-end signing service for partner developers and remains in public preview. (techrepublic.com) BleepingComputer reported that the criminals used the service to generate fraudulent code-signing certificates. Microsoft said that as it introduced protections, Fox Tempest shifted in February 2026 to networks of third-party-hosted virtual machines to keep the business running. ### Why does a signed file matter so much? (blogs.microsoft.com) Signed software carries a signal of legitimacy. Microsoft said Artifact Signing is meant to help developers prove software origin and integrity, and attackers sought to borrow that trust so malware would look safer to install and harder to block. SecurityWeek and Infosecurity Magazine, citing Microsoft, said Fox Tempest’s service was used to distribute ransomware and other malware under the cover of valid-looking signatures. (bleepingcomputer.com) That meant the abuse targeted a control that many organizations use to decide what code can run. ### What did Microsoft do to disrupt it? Microsoft said it revoked more than 1,000 code-signing certificates it attributed to Fox Tempest, disabled fraudulent accounts, seized the signspace.cloud domain and blocked access to a site hosting the underlying code. (azure.microsoft.com) The company also said it took hundreds of virtual machines offline with support from industry partner Resecurity. (securityweek.com) Steven Masada, assistant general counsel in Microsoft’s Digital Crimes Unit, said in the company’s May 19 post that the action targeted “the infrastructure and access model” behind the service. Microsoft described the move as part of a broader pattern of legal and technical disruptions run through the Digital Crimes Unit. (microsoft.com) ### What comes next after the takedown? The Southern District of New York case unsealed on May 19 sets out Microsoft’s legal claims and the disruption measures already taken, according to the company. Microsoft said it is continuing certificate revocations, account enforcement and product defenses aimed at preventing further abuse of Artifact Signing. (microsoft.com) Microsoft’s public documentation for Artifact Signing and related integrations remains the place where customers can track how the service works and what controls are available. The Fox Tempest case also gives defenders a concrete list of indicators and techniques to review against signed software and certificate use in their own environments. (learn.microsoft.com) (blogs.microsoft.com)