On Thursday (16th October 2025), Microsoft's Threat Intelligence group confirmed they had cancelled over 200 fake certificates. A hacking collective was using these certificates. They made malware look like real Microsoft Teams set-up files.
In addition, the company stated that a group they keep track of called Vanilla Tempest ran the campaign. This threat actor, also known as Vice Spider, is in it for the money. The group's goal is to put out ransomware and steal data to demand money.
According to Microsoft, the fake certificates were used to get in through a backdoor called Oyster. This backdoor was the first step in a larger attack set up to deploy strong ransomware, including the well-known Rhysida type.
The fact that attackers could get hold of fake certificates brings up serious questions about the digital trust systems that check on software.
What Does This Breach Mean for Tech Companies?
Unfortunately, this incident is just the latest in a campaign that has been going on for a long time. This campaign is run by a very active threat actor. In fact, Vanilla Tempest has been operating since at least 2021.
This points to a widespread weakness. For businesses that have to count on these platforms, this trend is worrying. Attackers are not just going after users. They are also going after the supply chain of trust itself.
This group has a history of picking on important sectors. For instance, security researchers linked up Vanilla Tempest with a series of attacks on the healthcare sector in the US in 2023. Furthermore, since 2022, the group carried out multiple ransomware campaigns.
These ransomware include BlackCat, Quantum Locker, and Zeppelin. This wide range of tools suggests a high level of resources and also suggests a threat that won't go away for companies worldwide.
Who are Vanilla Tempest?
Vanilla Tempest is a hacking collective that is out for money. They are known for going after large companies. They do this by breaking into their systems for ransomware and stealing data. Their main way of carrying out attacks uses clever social tricks and technical exploits. This is just what Microsoft laid out.
Attack Methods Used By Vanilla Tempest:
- Luring Victims: To begin with, the group uses SEO poisoning and malvertising. This tricks users who are looking for real software, such as Teams download.
- Spoofed Websites: After that, their goal lure employees to their malicious websites. These are sites that impersonate Microsoft, using domains like teams-download.buzz or teams-install.run. Their aim here is to deceive users into downloading a fraudulent installer file.
- Abusing Trust: Finally, to make the fake malware seem like the real thing, the group used fake signed certificates. They took advantage of services from SSL.com, DigiCert, and GlobalSign. They also misused Microsoft's own Trusted Signing service.
How to Prevent These Kinds of Attacks?
The attack by Vanilla Tempest came about because employees were tricked. They were fooled by fake websites. They downloaded and ran installers that looked like the real thing. This gave the attackers a way to get in.
This just goes to show that you need to look after who can access what. Even good technical defenses can be gotten around.
You need a better way to check whether users are who they actually claim to be and what they are allowed to access. No system is ever completely safe.
With software like Infisign, you can set up a strong identity access control system.
- The software builds on a Zero Trust Authentication way of thinking. It never trusts anyone just because they are inside the network. It always checks who you are. It uses Adaptive MFA. This means it asks for extra proof when things look off. This can stop a tricked user from giving away access by mistake.
- In addition, putting a Privileged Access Management (PAM) system in place makes sure that only a few special users can get to the most important files. They are the only ones who can install software. This ends up creating multiple layers of security. Even if a regular user gets tricked, the malware cannot take over the system.
Ready to look after your company's access? Get in touch with the team at Infisign for a free trial.
