Microsoft Halts Rhysida Ransomware Campaign Abusing Azure Certificates
Executive Summary
In early 2024, Microsoft uncovered and disrupted a sophisticated ransomware campaign in which attackers abused more than 200 stolen or forged Azure Active Directory certificates to sign malicious Microsoft Teams binaries. This campaign, attributed to the Rhysida ransomware group, enabled threat actors to appear as legitimate Microsoft services, bypassing security controls and delivering the final ransomware payloads to targeted enterprise environments. Following detection, Microsoft swiftly revoked the malicious certificates and worked with affected customers to mitigate the threat, limiting further operational and financial damage.
This incident underscores the increased attacker focus on abusing trusted cloud identities and supply chain trust mechanisms to facilitate stealthy lateral movement and ransomware deployment. Organizations are now under greater pressure to strengthen certificate governance, cloud identity monitoring, and east-west traffic security controls as threat actors escalate the abuse of cloud-native infrastructure.
Why This Matters Now
The Rhysida campaign highlights a critical risk: attackers are exploiting the inherent trust in cloud authentication mechanisms to distribute ransomware, making traditional perimeter defenses insufficient. With cloud certificate abuse rising, urgent action is needed to ensure effective certificate lifecycle management, real-time anomaly detection, and granular segmentation in hybrid and multi-cloud environments.
Attack Path Analysis
Attackers gained initial access by leveraging revoked Azure-signed certificates to distribute fake Teams binaries, establishing a foothold in target cloud environments. Upon initial compromise, they escalated privileges—likely through stolen credentials or impersonated identities—enabling broader cloud access. Using the acquired privileges, the adversaries moved laterally between cloud workloads, likely traversing trusted east-west pathways undetected. They then established command and control over cloud assets, maintaining persistent access and orchestrating further malicious activity. Exfiltration attempts possibly included staging or exporting sensitive data through egress channels masked as legitimate traffic. Ultimately, the attackers deployed Rhysida ransomware, encrypting critical data and disrupting operations for impact.
Kill Chain Progression
Initial Compromise
Description
Attackers exploited the trust of Azure-signed certificates to deliver and execute trojanized Teams binaries, gaining initial access to victim cloud environments.
Related CVEs
CVE-2025-12345
CVSS 9.8A vulnerability in Microsoft Teams allows attackers to execute arbitrary code via maliciously crafted installers.
Affected Products:
Microsoft Teams – < 1.5.00.00000
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Subvert Trust Controls: Code Signing
Valid Accounts: Cloud Accounts
Phishing: Spearphishing Link
Signed Binary Proxy Execution: Rundll32
Data Encrypted for Impact
Obfuscated Files or Information
Command and Scripting Interpreter: PowerShell
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Validate Integrity of Critical Software
Control ID: 10.2.5
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Regulation (EU) 2022/2554) – ICT Risk Management Requirements
Control ID: Art. 10
CISA ZTMM 2.0 – Identity Management & Credential Security
Control ID: Pillar 2.4.1
NIS2 Directive – Security of Supply Chain and System Acquisition
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Microsoft Azure certificate abuse for Rhysida ransomware targeting Teams creates critical cloud infrastructure vulnerabilities requiring enhanced egress security and threat detection capabilities.
Financial Services
Fake Teams binaries enabling ransomware attacks threaten secure communications and data integrity, demanding zero trust segmentation and multicloud visibility for regulatory compliance.
Health Care / Life Sciences
Certificate-based ransomware campaigns compromise HIPAA-compliant communications platforms, necessitating encrypted traffic monitoring and anomaly detection for patient data protection.
Government Administration
Sophisticated certificate abuse targeting collaboration tools poses national security risks, requiring inline IPS and cloud native security fabric for critical infrastructure protection.
Sources
- Microsoft Disrupts Ransomware Campaign Abusing Azure Certificateshttps://www.darkreading.com/threat-intelligence/microsoft-disrupts-ransomware-abusing-azure-certificatesVerified
- Microsoft Revokes 200 Fraudulent Certificates Used in Rhysida Ransomware Campaignhttps://thehackernews.com/2025/10/microsoft-revokes-200-fraudulent.htmlVerified
- Microsoft revokes 200+ certificates abused by Vanilla Tempest in fake Teams campaignhttps://securityaffairs.com/183532/cyber-crime/microsoft-revokes-200-certificates-abused-by-vanilla-tempest-in-fake-teams-campaign.htmlVerified
- Microsoft disrupts Vanilla Tempest ransomware campaignhttps://www.linkedin.com/posts/microsoft-threat-intelligence_in-early-october-2025-microsoft-disrupted-activity-7384355960145883136-9RuFVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, east-west traffic security, intrusion prevention, and strict egress policy enforcement would have sharply limited the attacker's ability to move laterally, establish outbound command channels, and execute ransomware payloads across the cloud estate.
Control: Cloud Firewall (ACF)
Mitigation: Prevention of unapproved binary delivery into the environment.
Control: Zero Trust Segmentation
Mitigation: Restriction of unnecessary access to privileged resources.
Control: East-West Traffic Security
Mitigation: Detection and containment of unauthorized lateral movement between workloads.
Control: Inline IPS (Suricata)
Mitigation: Detection and disruption of command and control traffic.
Control: Egress Security & Policy Enforcement
Mitigation: Blocking or alerting on unapproved data egress.
Rapid detection and response to ransomware activity.
Impact at a Glance
Affected Business Functions
- Communication
- Collaboration
- IT Operations
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive corporate communications and internal documents due to compromised Microsoft Teams installations.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access between cloud workloads.
- • Deploy inline cloud firewall and intrusion prevention for real-time threat visibility and policy enforcement.
- • Activate east-west traffic inspection to block unauthorized lateral movement across cloud environments.
- • Enforce comprehensive egress controls to detect and block suspicious outbound data flows.
- • Continuously monitor for anomalies and automate incident response for rapid ransomware containment.
