< Back to all clusters
[CRIME] · United States · 5 sources

Microsoft shuts down ransomware code-signing service and uncovers large Azure/M365 breach

Microsoft’s Digital Crimes Unit has taken down a malware code‑signing service used by ransomware groups, seizing the site signspace.cloud, revoking more than 1,000 stolen certificates and disabling hundreds of attacker‑controlled virtual machines on Azure. The operation, dubbed Fox Tempest, sold code‑signing as a service for $5,000‑$9,000, enabling criminals to mask malicious installers for tools such as AnyDesk, Teams and Putty and distribute them via SEO poisoning and malvertising.

In a separate disclosure, Microsoft Threat Intelligence detailed a campaign by the group Storm‑2949 that compromised employee identities, abused Microsoft’s self‑service password‑reset process to bypass MFA, and leveraged the hijacked accounts to infiltrate Azure subscriptions and Microsoft 365 services. The attackers exfiltrated thousands of files from OneDrive and SharePoint, targeted Azure App Services, Key Vaults and SQL databases, and sought privileged access through Azure role‑based controls. Both incidents highlight the growing modularity of cybercrime and the risks posed by compromised cloud credentials.