News
Microsoft Disrupt Vanilla Tempest Group
Microsoft said it has disrupted a financially motivated cybercriminal group known as Vanilla Tempest that used Microsoft Teams to carry out social engineering attacks against enterprise users.
The Microsoft takedown was coordinated with law enforcement partners and dismantled malicious infrastructure that the group used to feed malicious code to targeted accounts.
"In early October 2025, Microsoft disrupted a Vanilla Tempest campaign by revoking over 200 certificates that the threat actor had fraudulently signed and used in fake Teams setup files to deliver the Oyster backdoor and ultimately deploy Rhysida ransomware," said Microsoft Threat Intelligence in a statement posted to X.
Microsoft said revoking the certificates was key in neutralizing the campaign, as they help to prevent Windows systems from trusting binaries that were previously validated by those certificates, effectively cutting off the group's ability to present harmful installers as legitimate software.
Vanilla Tempest used look-alike download domains and search-engine manipulation to lure victims into downloading the fake Teams installers. Some reports also tie the activity to the delivery of backdoors and ransomware families in past attacks attributed to the same actor. Microsoft's post focused on the certificate revocations and disruption but did not identify victims or quantify the impact.
Teams in the Crosshairs
In a
related Oct. 7 security blog, Microsoft sounded the alarm on how multiple threat groups have abused Teams and related APIs in social engineering and phishing campaigns. The company said the platform's trusted position inside organizations makes it a prime target for credential theft and lateral movement. And, once in, they have the tools to continue to leverage malicious activities.
"Threat actors employ a variety of persistence techniques to maintain access to target systems -- even after defenders attempt to regain control," wrote Microsoft. "These methods include abusing shortcuts in the Startup folder to execute malicious tools, or exploiting accessibility features like Sticky Keys (as seen in this ransomware case study). Threat actors could try to create guest users in target tenants or add their own credentials to a Teams account to maintain access."
The blog noted that groups such as Storm-1674, Octo Tempest and Midnight Blizzard have previously used Teams-based lures, but Vanilla Tempest was the focus of this specific takedown effort.
Microsoft advised organizations to strengthen software distribution controls by validating download sources, blocking look-alike domains and enforcing allow lists for enterprise app deployment. IT departments are also urged to restrict unsigned or newly signed binaries, monitor certificate use for anomalies, and apply multifactor authentication and conditional access policies across Microsoft 365.
Microsoft said it continues to collaborate with industry and law enforcement partners to monitor for renewed activity and to further disrupt financially motivated groups targeting its collaboration ecosystem.