Microsoft Just Killed the Service That Turned Its Own Azure Code Signing Platform Into a Malware Laundry for Five Ransomware Gangs—at $9,000 a Subscription

What Happened

On May 19, 2026, BleepingComputer reported that Microsoft, working with law enforcement, had disrupted a financially motivated threat group tracked as Fox Tempest under the name Operation OpFauxSign. The group's specialty was simple and lucrative: take any piece of malware, sign it with a valid Microsoft-issued code-signing certificate, and hand it back to the buyer ready to run.

The platform, hosted on the domain signspace[.]cloud, charged $5,000 to $9,000 in bitcoin per access tier. Subscribers were Akira, Rhysida, INC Ransomware, Qilin, and BlackByte affiliates, plus the operators behind the Oyster, Lumma Stealer, and Vidar info-stealer families. By the time Microsoft unsealed the legal action, Fox Tempest had created more than 1,000 fraudulent certificates and spun up hundreds of Azure tenants to support them.

How Microsoft's Own Service Got Weaponized

The abuse vehicle was Azure Artifact Signing, the cloud code-signing platform Microsoft launched in 2024 to make legitimate code-signing easier and cheaper for developers. Fox Tempest signed up using stolen U.S. and Canadian identities, passed Microsoft's verification using those identities' real credit histories, and used the platform exactly as designed—except for what was being signed.

The clever piece was the certificate lifecycle. Most code-signing services issue certificates that live for one to three years. Long-lived certificates are easy to monitor: once a researcher flags one as malicious, it gets revoked and every binary signed by it gets flagged across every endpoint product. Fox Tempest's customers got 72-hour certificates instead. By the time anyone caught a signed sample and revoked the cert, it had already expired naturally. The next malware sample got a fresh certificate from a fresh tenant on a fresh stolen identity.

Defenders who key on certificate revocation never had a chance. There was nothing to revoke.

The Numbers

From Microsoft's official disclosure and reporting at The Record:

• 1,000+ fraudulent certificates issued through Azure Artifact Signing
• Hundreds of Azure tenants set up with stolen U.S. and Canadian identities
• 72 hours: the lifetime of every certificate Fox Tempest issued, deliberately short to dodge revocation
• $5,000 to $9,000 per access tier, paid in bitcoin
• 5 ransomware families served: Akira, Rhysida, INC, Qilin, BlackByte
• 3 info-stealer families served: Oyster, Lumma Stealer, Vidar
• May 2025: estimated start of operations
• Millions of dollars in profits, per Microsoft's filing

What Got Signed: Malware Disguised as Legitimate Tools

The signed binaries did not advertise themselves as malware. They impersonated software people install on purpose: Microsoft Teams, AnyDesk, PuTTY, Webex, fake installers that prompted the user to "complete an update." When SmartScreen or Defender saw the file, they saw a signature that traced back to Microsoft's own trust roots. The signature did not prove the binary was Microsoft Teams—it proved someone had paid Fox Tempest $7,000 to claim it was. Most endpoint controls happily ran it anyway.

This is why code-signing as a security control has been steadily losing value for half a decade. Stuxnet used stolen Realtek and JMicron certificates in 2010. Operation ShadowHammer used real ASUS certs in 2019. The 3CX supply chain attack in 2023 ran on a valid 3CX signature. A signature confirms identity, not benevolence, and the identity-verification process behind most signing CAs is exactly as good as the documents a stolen identity can produce.

The Customers: A Who's Who of 2026 Ransomware

Fox Tempest's client list reads like the indictment list for the year. Akira has been one of the most active ransomware crews of the past 18 months, with healthcare and education its preferred targets. Rhysida hit the British Library in 2023 and has been working through municipal and university targets ever since. INC Ransomware operates through Vanilla Tempest affiliates, blends extortion with data theft, and has appeared in Microsoft's threat reports repeatedly. Qilin took down London's Synnovis pathology provider in 2024, contributing to one documented patient death. BlackByte has a long history of targeting U.S. critical infrastructure.

A single shared service connected all of them. When Microsoft pulled the plug on signspace[.]cloud, every one of those crews lost a piece of the infrastructure that made their first-stage loaders bypass endpoint controls. They will rebuild. The cost—measured in time and dollars per delivered payload—just went up.

Why Email Users Should Care

Almost every Fox Tempest signed binary was delivered to its first victim by email. The classic chain: a phishing message containing a link to a "company portal" or a Microsoft Teams update, redirect through one or two infrastructure hops, then a signed installer download. The signature is what defeats the user's last instinctive defense—the Windows SmartScreen warning that normally appears when a downloaded file is unknown.

Email is the universal delivery channel for these payloads. The infrastructure that supports the email side—targeted lead lists, open tracking pixels that confirm a victim has read the lure, click correlation that tells operators when to fire the second-stage message—is what makes the campaign profitable enough to justify a $9,000 monthly subscription to Fox Tempest. Read more on how this layered tracking works in our piece on EvilTokens OAuth phishing, which targeted the same Microsoft 365 tenants Fox Tempest's customers love to extort.

What to Do

• Stop trusting code signatures as a sole indicator. Block downloaded executables by default; allowlist by hash or by approved publisher, not by signature presence.
• Hunt for the IOC list. Microsoft has published certificate thumbprints, Azure tenant identifiers, and the signspace[.]cloud infrastructure. Run a 12 month historical search across your EDR for any of these.
• Block downloads from short-lived certificates. Several EDR vendors now alert on certificates valid for less than 7 days. If yours does not, ask why.
• Treat any signed binary impersonating Teams, AnyDesk, PuTTY, or Webex as suspect. Push standard installers through your software distribution platform; train users to refuse any "update" that came via email.
• Reduce phishing exposure at the inbox. Combine sender authentication (DMARC enforced at p=reject), URL rewriting, and attachment sandboxing. Most Fox Tempest payloads die if the lure email never gets a click.

What Comes Next

Microsoft pulled the rug. Fox Tempest's customers will find another signing provider within weeks—possibly outside Microsoft's ecosystem, possibly using stolen EV certificates from a smaller CA, possibly switching to AppLocker bypasses that do not require signatures at all. The pattern—buy a shared service, abuse it for a year, take the lumps when it gets shut down—is well established in cybercrime economics.

The deeper lesson is for Microsoft itself: a cloud-issued code-signing service is identity verification at scale, and identity verification is exactly the part of fraud that organized crime has been industrially defeating for two decades. Until the verification side is hardened—biometric, repeated, tied to behavior—the next OpFauxSign is in the queue.