Microsoft Disrupts 2025 Ransomware Campaign Using Fake Teams Installers
Executive Summary
In October 2025, Microsoft successfully disrupted a ransomware campaign orchestrated by the threat group Vanilla Tempest (also known as Vice Society/VICE SPIDER) targeting Microsoft Teams users. Attackers used malvertising and SEO poisoning to promote websites impersonating the official Teams download page, tricking users into downloading malicious installers. These fake installers delivered the Oyster backdoor, granting attackers remote access for data theft, command execution, and the deployment of Rhysida ransomware. Microsoft responded by revoking over 200 abused code-signing certificates used to legitimize the malicious payloads, effectively hampering the campaign.
This attack underscores the growing risk of supply chain compromise via trusted application installers and increasingly sophisticated social engineering techniques. The resurgence of ransomware-as-a-service operators leveraging signed malware highlights the urgent need for identity-driven defenses, vigilant certificate monitoring, and robust endpoint security measures.
Why This Matters Now
Ransomware actors are escalating social engineering and supply chain tactics, exploiting trusted software channels with signed malware. As remote work tools become critical infrastructure, their abuse for initial access and lateral movement is increasingly urgent, challenging organizations to strengthen controls over application distribution and certificate trust.
Attack Path Analysis
Vanilla Tempest initiated the attack by delivering malicious fake Microsoft Teams installers through malvertising and SEO poisoning, luring users to download and execute the Oyster backdoor. After infection, the malware leveraged its privileges to establish persistence, possibly manipulating the host context or credentials. With a foothold, the backdoor enabled the attackers to move laterally within the targeted network or cloud, seeking sensitive systems or data. Subsequently, the Oyster malware established encrypted communications for command and control, allowing ongoing attacker oversight and payload delivery. Attackers exfiltrated files and sensitive data leveraging egress paths and covert outbound channels. Finally, Rhysida ransomware payloads were deployed, encrypting data and disrupting operations for extortion.
Kill Chain Progression
Initial Compromise
Description
Users were tricked via malicious ads and phishing domains into downloading and executing a fake Teams installer, which deployed the Oyster backdoor.
Related CVEs
CVE-2020-1472
CVSS 10An elevation of privilege vulnerability in Microsoft's Netlogon Remote Protocol allows an unauthenticated attacker to gain domain administrator privileges.
Affected Products:
Microsoft Windows Server – 2008 R2, 2012, 2012 R2, 2016, 2019
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Spearphishing via Service
Phishing: Spearphishing via Malicious Ads
User Execution: Malicious File
Compromise Software Supply Chain
Obfuscated Files or Information
Valid Accounts
System Services: Service Execution
Data Encrypted for Impact
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS v4.0 – Protection of System Components and Software from Malware
Control ID: 6.4.2
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA (Digital Operational Resilience Act) – ICT Risk Management Framework
Control ID: Article 9
CISA Zero Trust Maturity Model (ZTMM 2.0) – User authentication, least privilege, and verified software
Control ID: Identity Pillar – Authentication & Access Control
NIS2 Directive – Technical and Organizational Measures
Control ID: Article 21(2)
ISO/IEC 27001:2022 – Monitoring activities
Control ID: A.8.16
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Higher Education/Acadamia
Critical exposure to Rhysida ransomware via fake Teams installers, historically disproportionately targeted by Vanilla Tempest with significant operational disruption risks.
Health Care / Life Sciences
High ransomware vulnerability through compromised Teams communications, requiring enhanced egress security and encrypted traffic controls for HIPAA compliance protection.
Information Technology/IT
Primary target for malvertising campaigns impersonating IT tools, facing lateral movement risks and requiring zero trust segmentation for client protection.
Financial Services
Substantial threat from signed malware bypassing security controls, necessitating multicloud visibility and threat detection capabilities for regulatory compliance maintenance.
Sources
- Microsoft disrupts ransomware attacks targeting Teams usershttps://www.bleepingcomputer.com/news/microsoft/microsoft-disrupts-ransomware-attacks-targeting-teams-users/Verified
- CISA, FBI, and MS-ISAC Release Advisory on Rhysida Ransomwarehttps://www.cisa.gov/news-events/alerts/2023/11/15/cisa-fbi-and-ms-isac-release-advisory-rhysida-ransomwareVerified
- Microsoft revokes 200+ certificates abused by Vanilla Tempest in fake Teams campaignhttps://securityaffairs.com/183532/cyber-crime/microsoft-revokes-200-certificates-abused-by-vanilla-tempest-in-fake-teams-campaign.htmlVerified
- New Ransomware Threat: Rhysida Group Targets Hospitals, Puts Patient Safety at Riskhttps://www.aha.org/advisory/2023-11-15-new-ransomware-threat-rhysida-group-targets-hospitals-puts-patient-safety-riskVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Robust application of Zero Trust segmentation, east-west traffic security, threat detection, egress filtering, and multicloud visibility could have significantly constrained this attack by isolating workloads, detecting anomalous behavior, and preventing data exfiltration and malicious communication.
Control: Cloud Firewall (ACF)
Mitigation: Blocks downloads from known malicious or untrusted domains and filters suspicious internet traffic.
Control: Multicloud Visibility & Control
Mitigation: Enables detection of unusual privilege usage through unified logging and traffic analysis.
Control: Zero Trust Segmentation
Mitigation: Prevents malware from accessing unauthorized internal workloads by enforcing least-privilege segmentation.
Control: Inline IPS (Suricata)
Mitigation: Identifies and blocks known C2 protocol signatures and suspicious communication patterns.
Control: Egress Security & Policy Enforcement
Mitigation: Policy-based controls prevent unauthorized data flows and block exfiltration attempts via disallowed destinations.
Detects rapid encryption, access anomalies, or destructive actions and triggers automated response.
Impact at a Glance
Affected Business Functions
- Patient Records Management
- Appointment Scheduling
- Billing Systems
Estimated downtime: 7 days
Estimated loss: $500,000
Potential exposure of sensitive patient information, including medical records and personal identifiers, leading to risks of identity theft and regulatory penalties.
Recommended Actions
Key Takeaways & Next Steps
- • Deploy zero trust segmentation and microsegmentation to limit lateral movement and enforce least-privilege access between workloads.
- • Implement comprehensive egress filtering and DNS/FQDN controls to block access to malicious sites and prevent data exfiltration.
- • Integrate inline IPS and real-time anomaly detection to identify and halt malware command and control and ransomware behaviors early.
- • Centralize multicloud visibility and monitoring to rapidly detect privilege escalations, anomalous flows, and unauthorized access attempts.
- • Regularly update firewall rules and threat intelligence feeds to cover emerging ransomware IOCs and attacker infrastructure.
