Fox Tempest MSaaS Takedown: Detecting Abuse of Microsoft Artifact Signing

On Tuesday, Microsoft announced the disruption of a sophisticated Malicious Software-Signing-as-a-Service (MSaaS) operation orchestrated by the threat actor Fox Tempest. This group, historically associated with social engineering and initial access brokerage, weaponized Microsoft's own Artifact Signing system to sign malicious code. By doing so, they bypassed fundamental trust controls, enabling encryption-based attacks (likely ransomware) and the deployment of other malware that appeared trusted to operating systems and security controls.

This breach of the supply chain trust boundary is critical. It renders traditional application whitelisting and signature-based trust verification insufficient, as the malware carries a valid, trusted Microsoft signature. Defenders must move beyond simple signature verification and analyze behavioral context and file origin.

Technical Analysis

Affected Systems and Scope

Affected Mechanism: Microsoft Artifact Signing Service (abused via compromised developer credentials or enrollment workflows).
Threat Actor: Fox Tempest (aligned with Scattered Spider / 0ktapus TTPs).
Payloads: Malware signed with valid Microsoft certificates, used to facilitate encryption-based cyber incidents (ransomware).
Impact: Thousands of machines and networks compromised globally.

The Attack Chain

Initial Access: Fox Tempest utilizes phishing or social engineering to compromise legitimate developer credentials or tenant identities.
Abuse of Trust: The actor authenticates to the Microsoft Artifact Signing system or related code signing infrastructure.
MSaaS Operation: They submit malicious payloads (e.g., ransomware loaders, backdoors) to be signed.
Delivery: The service returns the malware, now signed with a valid Microsoft certificate.
Execution & Evasion: The malware is deployed on victim networks. Because it is signed by a trusted root (Microsoft), it bypasses User Account Control (UAC), AppLocker, and many antivirus heuristics that rely on reputation or untrusted flags.
Objective: Execution of encryption-based attacks (data extortion/ransomware).

Exploitation Status

Status: Confirmed Active Exploitation. Microsoft has seized the infrastructure, but signed binaries may persist in the wild.
CVE: While this is an abuse of functionality rather than a specific software vulnerability (CVE), it represents a failure of identity and access management (IAM) controls within the signing ecosystem.

Detection & Response

The primary challenge with this threat is that indicators of compromise (IOCs) are signed by a trusted vendor. We cannot block "Microsoft Corporation" signed files globally. Instead, we must detect the anomaly of a Microsoft-signed binary executing from a user-writable location or the abuse of the signing tools themselves.

Sigma Rules

YAML

---
title: Potential MSaaS Abuse - Microsoft Signed Binary in User Directory
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects the execution of binaries signed by Microsoft originating from user-writable directories (AppData, Downloads, Temp), a common tactic for MSaaS-delivered malware.
references:
  - https://thehackernews.com/2026/05/microsoft-takes-down-malware-signing.html
author: Security Arsenal
date: 2026/05/13
tags:
  - attack.defense_evasion
  - attack.t1553.002
  - attack.signed_binary_proxy
logsource:
  category: process_creation
  product: windows
detection:
  selection:
    Signed: 'true'
    Signer|contains:
      - 'Microsoft Corporation'
      - 'Microsoft Windows'
    Image|contains:
      - '\AppData\'
      - '\Downloads\'
      - '\Temp\'
      - '\Desktop\'
  filter:
    # Filter out known false positives like VS Code, Office updates running from cache if necessary
    Image|contains:
      - '\Microsoft\VSCode\'
      - '\WindowsApps\'
condition: selection and not filter
falsepositives:
  - Legitimate developer tools running from user profiles (e.g., portable apps)
level: high
---
title: Abuse of Signing Tools - Signtool or Azure Artifacts Signing
id: 1a2b3c4d-5e6f-7a8b-9c0d-1e2f3a4b5c6d
status: experimental
description: Detects the usage of Microsoft signing tools (signtool.exe) or Azure Artifacts signing scripts by non-build accounts or at odd hours, indicating potential MSaaS enrollment activity.
references:
  - https://thehackernews.com/2026/05/microsoft-takes-down-malware-signing.html
author: Security Arsenal
date: 2026/05/13
tags:
  - attack.resource_development
  - attack.t1608.002
logsource:
  category: process_creation
  product: windows
detection:
  selection_tools:
    Image|endswith:
      - '\signtool.exe'
      - '\AzureSignTool.exe'
  selection_cli:
    CommandLine|contains:
      - 'sign'
      - '/f '
      - '/p '
  filter_legit:
    User|contains:
      - 'SYSTEM'
      - 'LOCAL SERVICE'
      - 'NETWORK SERVICE'
    # Add your build service accounts here
    # User|contains:
    #   - 'builduser'
    #   - 'devops'
condition: selection_tools and selection_cli and not filter_legit
falsepositives:
  - Legitimate software developers signing code manually
level: medium

KQL (Microsoft Sentinel / Defender)

This hunt query joins process creation events with file information to identify signed binaries running from suspicious paths.

KQL — Microsoft Sentinel / Defender

// Hunt for Microsoft-signed binaries executing from user directories
DeviceProcessEvents
| where Timestamp > ago(7d)
| extend FilePath = tolower(FolderPath)
| where FilePath matches regex @".*\\(appdata|downloads|temp|desktop)\\.*" 
| where isnotempty(Signer)
| where Signer contains "Microsoft" 
// Exclude standard windows apps running from WindowsApps in AppData context if applicable
| where not (FolderPath contains "WindowsApps" and ProcessVersionInfoCompanyName contains "Microsoft")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, FolderPath, Signer, SHA256
| order by Timestamp desc

Velociraptor VQL

This VQL artifact hunts for PE files in user directories that possess a valid signature, which is highly suspicious in the context of the Fox Tempest MSaaS abuse.

VQL — Velociraptor

-- Hunt for signed executables in user profile directories
SELECT 
  FullPath,
  Size,
  Mtime,
  Subject,
  Issuer,
  Status
FROM glob(globs="/*/*/Users/*/*.exe")
WHERE 
  -- Check if the file has a valid authenticode signature
  authenticode(filename=FullPath).Status = "Valid"
  -- Exclude signed binaries in standard system paths if they accidentally match the glob
  AND FullPath NOT =~ "C:\\Windows\\"
  AND FullPath NOT =~ "C:\\Program Files\\"
  AND FullPath NOT =~ "C:\\Program Files (x86)\\"

Remediation Script (PowerShell)

This script scans user profiles for signed binaries and verifies the revocation status of the certificates, helping to identify binaries signed by the now-compromised infrastructure that Microsoft may have revoked.

PowerShell

# Audit Script: Detect Suspicious Signed Binaries in User Directories
# Requires Administrator privileges

$UserProfiles = Get-ChildItem "C:\Users" -Directory
$SuspiciousPaths = @("Downloads", "AppData", "Desktop", "Temp", "Documents")
$Findings = @()

foreach ($Profile in $UserProfiles) {
    foreach ($PathType in $SuspiciousPaths) {
        $TargetPath = Join-Path $Profile.FullName $PathType
        if (Test-Path $TargetPath) {
            Write-Host "Scanning $TargetPath..." -ForegroundColor Cyan
            Get-ChildItem -Path $TargetPath -Recurse -Include *.exe,*.dll,*.ps1 -ErrorAction SilentlyContinue | ForEach-Object {
                $Sig = Get-AuthenticodeSignature $_.FullName
                if ($Sig.Status -eq 'Valid') {
                    # Check for Microsoft signing but unusual location
                    if ($Sig.SignerCertificate.Subject -like "*Microsoft*" -or $Sig.SignerCertificate.Issuer -like "*Microsoft*") {
                        $Findings += [PSCustomObject]@{
                            Path       = $_.FullName
                            Signer     = $Sig.SignerCertificate.Subject
                            Status     = $Sig.Status
                            Reason     = $Sig.StatusMessage
                        }
                    }
                }
            }
        }
    }
}

if ($Findings.Count -gt 0) {
    Write-Host "ALERT: Found signed binaries in suspicious locations:" -ForegroundColor Red
    $Findings | Format-Table -AutoSize
} else {
    Write-Host "No suspicious signed binaries found in user directories." -ForegroundColor Green
}

Remediation

Enable Certificate Revocation Checking: Ensure that all endpoints enforce strict CRL (Certificate Revocation List) and OCSP (Online Certificate Status Protocol) checking. Microsoft has revoked the abused certificates; systems must check these revocation lists to reject the malicious files.
- Action: Configure Group Policy: Computer Configuration > Windows Settings > Security Settings > Public Key Policies > Certificate Path Validation Settings. Set "Online Certificate Status Protocol (OCSP)" and "Certificate Revocation List (CRL)" to "Always".
Audit Developer Accounts: Fox Tempest compromised credentials to access the signing service.
- Action: Force password resets and MFA re-enrollment for all accounts with permissions to access code signing or artifact management services in Azure DevOps or similar environments.
Application Whitelisting (Policy Enforcement): Do not rely solely on the "Publisher" trust.
- Action: Update AppLocker or Windows Defender Application Control (WDAC) policies to explicitly block execution of PE files from C:\Users\... directories, regardless of signature. Valid Microsoft system files do not run from user profiles.
Hunt for Persistence: The signed malware likely established persistence.
- Action: Check common persistence mechanisms (Run keys, Scheduled Tasks, Services) for commands pointing to executables in AppData or Temp.
Microsoft Advisory: Reference the official Microsoft Response Center guidance for the Fox Tempest takedown for specific IOCs related to the MSaaS infrastructure.

Related Resources

Security Arsenal Incident Response Services AlertMonitor Platform Book a SOC Assessment incident-response Intel Hub