Microsoft says it has disrupted a malware-signing-as-a-service (MSaaS) operation that abused the company's Artifact Signing service to generate fraudulent code-signing certificates used by ransomware gangs and other cybercriminals. According to a report published today by Microsoft Threat Intelligence, the threat actor tracked as Fox Tempest used the Microsoft Artifact Signing platform to create short-lived certificates that allowed malware to be digitally signed and trusted as legitimate software by both users and operating systems. Azure Artifact Signing (previously Trusted Signing) is a cloud-based service launched by Microsoft in 2024 that allows developers to easily have their programs signed by Microsoft. Microsoft says the financially motivated threat actor created more than 1,000 certificates and hundreds of Azure tenants and subscriptions as part of the operation. Today, Microsoft also unsealed a legal case in the U.S. District Court for the Southern District of New York targeting the cybercrime operation. "Fox Tempest has created over a thousand certificates and established hundreds of Azure tenants and subscriptions to support its operations. Microsoft has revoked over one thousand code signing certificates attributed to Fox Tempest," Microsoft said. "In May 2026, Microsoft's Digital Crimes Unit (DCU), with support from industry partners, disrupted Fox Tempest's MSaaS offering, targeting the infrastructure and access model that enables its broader criminal use." Microsoft says it seized the signspace[.]cloud domain used by the service, took hundreds of virtual machines tied to the operation offline, and blocked access to infrastructure hosting the cybercrime platform. The site now redirects visitors to a Microsoft-operated site that explains that the company seized the domain as part of a lawsuit against the malware-signing-as-a-service scheme.