Microsoft Improves Cyber Protection by Revoking Fake Certificates Exploited in Ongoing Cyber Threat Campaigns

Microsoft's security team uncovered a massive cyberattack campaign in which hackers used fake Microsoft Teams setup files to spread malware and ransomware. Microsoft has termed the campaign "Vanilla Tempest" and it has been active for years, targeting consumers with fraudulent downloads.

According to Microsoft Threat Intelligence, attackers fraudulently signed over 200 digital certificates, which were then utilised to make fake files appear real. These files, titled MSTeamsSetup.exe, were intended to deploy the Oyster backdoor, a type of malware that allows hackers to gain remote access to infected PCs. Once installed, it launched Rhysida ransomware, which encrypts data and demands payment to unlock it. The campaign also included additional harmful ransomware families, such as BlackCat, Quantum Locker, and Zeppelin, which are all known for targeting organisations and stealing sensitive data for financial extortion.

To spread these fake installers, the attackers utilised SEO poisoning and malvertising, which means they manipulated search results and web ads to mislead users. When consumers searched for "Teams download" on Google, they were directed to a fake website.  These websites appeared to be legitimate, but they really stored malicious files that installed malware rather than the genuine Microsoft Teams program.  Microsoft revealed that Vanilla Tempest began using the Oyster backdoor in June 2025, and by September 2025, they were using stolen or fraudulent certificates from genuine providers like as SSL.com, DigiCert, and GlobalSign to make their malware appear trustworthy.

Microsoft has revoked all of the compromised certificates used in the attack, confirming that Microsoft Defender Antivirus can now detect and fight this threat. The company has also issued thorough security advice via Defender for Endpoint to assist organisations in investigating, containing, and preventing such intrusions in the future. Vanilla Tempest, a hacking group, has been operating since at least 2021 and has previously launched ransomware operations against the healthcare and education sectors in both the United States and the United Kingdom.  This latest campaign emphasises the growing danger of fake software installers and serves as a warning to consumers to always download apps from official sources and keep security tools up to date to avoid such attacks.

Cyberattacks like this demonstrate how attackers exploit public confidence in prominent platforms. Continuous cyber awareness and software authenticity checks are required to remain safe. Users and organisations can lower their risk of future ransomware occurrences by implementing effective security measures.

Information referenced in this article is from Infosecurity Magazine