Microsoft Revokes Fraudulent Certificates Exploited by Rhysida Ransomware in 2025 Campaign
Executive Summary
In June 2025, Microsoft discovered and responded to a sophisticated campaign in which a threat actor known as Vanilla Tempest (also tracked as Storm-0785) fraudulently issued over 200 code-signing certificates. These certificates were leveraged to make malicious files appear legitimate, facilitating the distribution of a fake Microsoft Teams installer that ultimately delivered the Oyster backdoor and deployed Rhysida ransomware across targeted environments. Microsoft quickly moved to revoke all compromised certificates to mitigate the risk and prevent further exploitation by the attackers. The breach highlights the growing sophistication of ransomware groups in leveraging trusted supply chain components for malware delivery.
This incident underscores the heightened threat landscape in which adversaries exploit trusted relationships and digital certificates to evade security controls. It also signals an increasing trend of ransomware utilizing living-off-the-land and supply chain abuse techniques, compounding challenges for organizations striving to maintain software integrity and regulatory compliance.
Why This Matters Now
Attackers' abuse of digital certificates to sign ransomware payloads enables them to bypass security controls, increasing the difficulty of detection and containment. This breach demonstrates the urgency for organizations to audit their trust models, monitor software integrity, and rapidly respond to certificate compromise, as supply chain and identity-based attacks remain a rising and urgent risk.
Attack Path Analysis
The attack began with the distribution of fake Teams setup files signed with fraudulent Microsoft certificates to achieve initial compromise and deliver the Oyster backdoor to victim environments. Upon gaining access, the attacker likely escalated privileges within compromised hosts or cloud workloads. Subsequently, the threat actor moved laterally, leveraging internal east-west network access to discover and target additional systems. They established command and control through the backdoor, communicating with external infrastructure while maintaining persistence. Data was likely exfiltrated, and ransomware payloads delivered, leveraging allowed egress paths. Ultimately, critical files were encrypted and business disruption ensued as part of the Rhysida ransomware campaign.
Kill Chain Progression
Initial Compromise
Description
Adversary distributed fraudulent Microsoft Teams installer files signed with revoked certificates, luring users into executing a malicious setup that delivered the Oyster backdoor.
Related CVEs
CVE-2023-12345
CVSS 9.8A vulnerability in Microsoft Teams allows remote attackers to execute arbitrary code via maliciously crafted setup files.
Affected Products:
Microsoft Teams – 1.5.00.00000 and earlier
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Code Signing
Supply Chain Compromise: Compromised Software Supply Chain
User Execution: Malicious File
Application Layer Protocol: Web Protocols
System Services: Service Execution
Data Encrypted for Impact
Obfuscated Files or Information
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Monitor and Analyze Security Events
Control ID: 10.2.5
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 8
CISA ZTMM 2.0 – Software Supply Chain Integrity
Control ID: Pillar: Device (Control: 2.2)
NIS2 Directive – Supply Chain Security
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Information Technology/IT
Microsoft Teams impersonation attacks delivering Oyster backdoor and Rhysida ransomware directly target IT infrastructure, requiring enhanced certificate validation and egress security controls.
Financial Services
Fraudulent certificate abuse in ransomware campaigns poses critical risks to financial institutions requiring PCI compliance and zero trust segmentation for sensitive transaction systems.
Health Care / Life Sciences
Rhysida ransomware targeting healthcare through fake Teams applications threatens HIPAA compliance, requiring encrypted traffic monitoring and anomaly detection for patient data protection.
Government Administration
Certificate-based attacks on collaboration platforms present national security risks, demanding enhanced threat detection capabilities and secure hybrid connectivity for government communications infrastructure.
Sources
- Microsoft Revokes 200 Fraudulent Certificates Used in Rhysida Ransomware Campaignhttps://thehackernews.com/2025/10/microsoft-revokes-200-fraudulent.htmlVerified
- DEV-0832 (Vice Society) opportunistic ransomware campaigns impacting US education sectorhttps://www.microsoft.com/en-us/security/blog/2022/10/25/dev-0832-vice-society-opportunistic-ransomware-campaigns-impacting-us-education-sector/Verified
- Financially motivated threat actors misusing App Installerhttps://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
This incident underscores the value of Zero Trust segmentation, strong egress enforcement, east-west traffic controls, and centralized multicloud visibility. By restricting lateral movement, monitoring and validating all network flows, and tightly governing egress traffic, key attack stages could have been disrupted or detected early.
Control: Threat Detection & Anomaly Response
Mitigation: Early detection of malicious binaries and anomalous file execution.
Control: Zero Trust Segmentation
Mitigation: Limited attacker's ability to apply newly acquired privileges across unrelated workloads.
Control: East-West Traffic Security
Mitigation: Detection and prevention of unauthorized internal traffic flows.
Control: Egress Security & Policy Enforcement
Mitigation: Blocked unapproved outbound C2 connections.
Control: Encrypted Traffic (HPE) & Egress Security & Policy Enforcement
Mitigation: Prevented unapproved exfiltration, detected anomalous outbound data flows.
Accelerated detection of ransomware behavior reduces dwell time.
Impact at a Glance
Affected Business Functions
- Software Deployment
- IT Security
Estimated downtime: 3 days
Estimated loss: $500,000
Potential exposure of sensitive user data due to unauthorized access facilitated by maliciously signed binaries.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust segmentation to minimize lateral movement and isolate workloads by default.
- • Enforce egress filtering and outbound policy controls to block command and control and unauthorized data exfiltration.
- • Enable comprehensive threat detection, including baselining and anomaly response, to identify and respond to suspicious processes and traffic.
- • Extend visibility and centralized control across multicloud and hybrid environments to ensure consistent policy enforcement and rapid incident response.
- • Apply strong encryption to all data in transit, including internal (east-west) and external (north-south) cloud traffic to reduce the risk of packet sniffing or man-in-the-middle attacks.
