Microsoft revokes certificates used for fake Teams installers
Advisory/Mitigation
Summary
Hide ▲
Show ▼
Vanilla Tempest (tracked as Vice Spider/Vice Society) is an advisory mitigation case in which Microsoft revoked over 200 certificates used to fraudulently sign fake MS Teams installers. The signed lures, including MSTeamsSetup.exe, were used to deliver the Oyster backdoor and lead to Rhysida ransomware activity. Microsoft said the campaign relied on SEO poisoning and malvertising to push users searching for “Teams download” toward spoofed download sites. Microsoft also updated Defender Antivirus and Defender for Endpoint detections to help block and investigate the abuse.
Related Happenings
Microsoft Defender zero-days exploited in attacks (multiple vulnerabilities)
Vulnerability
First: 21.05.2026 10:49
Last: 21.05.2026 10:49
Sources 1
About this happening:
Microsoft began rolling out fixes for **CVE-2026-41091** and **CVE-2026-45498**, two **actively exploited zero-days** in **Microsoft Defender** components that affect unpatched Wi...
Microsoft Defender zero-days exploited in attacks (multiple vulnerabilities)
VulnerabilityAbout this happening: Microsoft began rolling out fixes for **CVE-2026-41091** and **CVE-2026-45498**, two **actively exploited zero-days** in **Microsoft Defender** components that affect unpatched Wi...
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor Meta
First: 20.05.2026 00:47
Last: 20.05.2026 00:47
Sources 1
About this happening:
Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor MetaAbout this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
Microsoft civil action against Fox Tempest infrastructure takedown
Regulatory/Legal Action
First: 19.05.2026 18:00
Last: 19.05.2026 18:00
Sources 1
About this happening:
Microsoft filed a **civil action** against **Fox Tempest** in the **US District Court for the Southern District of New York**, securing a **court order** that enabled a broad disr...
Microsoft civil action against Fox Tempest infrastructure takedown
Regulatory/Legal ActionAbout this happening: Microsoft filed a **civil action** against **Fox Tempest** in the **US District Court for the Southern District of New York**, securing a **court order** that enabled a broad disr...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
Campaign
First: 17.05.2026 17:43
Last: 17.05.2026 17:43
Sources 1
About this happening:
The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
Tycoon2FA device-code phishing campaign targeting Microsoft 365
CampaignAbout this happening: The **Tycoon2FA** phishing operation added **device-code phishing** to hijack **Microsoft 365** accounts, expanding its ability to steal access tokens and reach email, calendar, a...
KongTuke Microsoft Teams initial access campaign
Campaign
First: 14.05.2026 15:12
Last: 14.05.2026 15:12
Sources 1
About this happening:
The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...
KongTuke Microsoft Teams initial access campaign
CampaignAbout this happening: The **KongTuke** campaign now uses **Microsoft Teams** social engineering to gain persistent access to **corporate networks**, shortening initial compromise to **under five minute...
Timeline
-
17.10.2025 09:03 3 articles · 7mo ago
Microsoft revokes fraudulent certificates and updates detections
Mitigation Patch UpdateMicrosoft revoked more than 200 certificates used by Vanilla Tempest to fraudulently sign malicious binaries in attacks involving fake MSTeamsSetup.exe files, and updated its security solutions to flag signatures tied to the fake setup files, the Oyster backdoor, and Rhysida ransomware after detecting the activity in late September 2025.
Show sources
- Microsoft Revokes 200 Fraudulent Certificates Used in Rhysida Ransomware Campaign — thehackernews.com — 17.10.2025 09:03
- Microsoft Revokes 200 Fraudulent Certificates Used in Rhysida Ransomware Campaign — thehackernews.com — 17.10.2025 09:03
- Microsoft Revokes 200+ Fake Certificates Used in Teams Malware Attack — www.infosecurity-magazine.com — 20.10.2025 13:00