Microsoft last week disclosed that it revoked more than 200 certificates used by a threat actor in a sophisticated campaign targeting Teams users.
The action targeted a campaign by a financially motivated threat actor that the company has been tracking closely. The campaign, Vanilla Tempest, formerly known as Storm-0832, refers to a cybercriminal operation active since at least July 2022.
Microsoft’s move specifically targets the latest malicious campaign affecting Teams, which began in September. It plants an Oyster backdoor through a counterfeit installer package designed to mimic legitimate Microsoft software and then loads Rhysida ransomware.
Certificate Revocation and the Attack Method Behind It
Microsoft’s security teams identified the malicious campaign in early October, after discovering a cluster of domains masquerading as official Teams download portals.
These fraudulent sites exploited search engine optimization poisoning and malvertising to intercept users actively seeking legitimate Teams downloads.
Key malicious domains identified in the campaign included teams-download[.]buzz, teams-install[.]run, and teams-download[.]top, each carefully crafted to appear legitimate at first glance.
When victims executed the fake MSTeamsSetup.exe installer from these compromised sites, it deployed a malicious DLL file to a location commonly used by legitimate applications and, therefore, less likely to trigger security alerts.
The threat actor’s certificate abuse tactics involved using fraudulent code-signing via Trusted Signing and misusing SSL.com, DigiCert, and GlobalSign code signing services. They also rapidly deployed signed binaries to avoid revocation windows.
This kept the Oyster backdoor operational across system reboots while maintaining a low profile designed to evade detection.
The malware functions as a persistent access mechanism, granting attackers substantial control over infected systems, including the ability to execute arbitrary commands, deploy additional payloads such as Rhysida ransomware, and facilitate file transfers between compromised devices and attacker-controlled infrastructure.
The certificate revocation invalidated over 200 keys the attacker had used across fake setup files and post-compromise tools.
Additionally, the company updated its Microsoft Defender Antivirus to flag the counterfeit installers, Oyster backdoor, and Rhysida ransomware payload.
Microsoft’s Broader Focus on Teams Security
This certificate revocation action fits within a larger pattern of Microsoft taking increased interest in protecting Teams as the platform faces mounting threat activity.
The company recently issued comprehensive security guidance specifically for Teams, detailing how attackers abuse the platform’s core features—including chat, meetings, voice and video calls, screen sharing, and app integrations—to compromise corporate networks, establish persistence, and exfiltrate sensitive data.
What makes this guidance significant is its source: typically, warnings about vulnerabilities in widely deployed collaboration platforms emerge from third-party security researchers, yet Microsoft proactively publishing this material reflects recognition that Teams faces elevated threat activity requiring direct vendor intervention.
Microsoft’s decision to take action on this specific campaign seemingly recognizes the impact it has or poses. The Teams security landscape will likely continue attracting sophisticated threat actors as its position as a mission-critical platform increases.
However, Microsoft’s actions here suggest the company may now be taking a more aggressive approach to Teams threats.