Cyberdudebivash

CERTIFICATES REVOKED Threat Intel Briefing: Inside “Vanilla Tempest” Teams Campaign Microsoft revoked fraudulent certificates to disrupt social-engineering at scaleSocial-engineering via Teams + fraudulent certs for trust abuse; revocation cut the kill-chain.

Published: 16-10-2025 • Author: CyberDudeBivash ThreatWire • Read time: 7–10 min

TL;DR for Leadership

• What: A threat group tracked as “Vanilla Tempest” ran a Microsoft Teams social-engineering campaign using fraudulently obtained code-signing/identity certificates to boost trust and lower user suspicion.
• So what: Users were lured to negotiate outside normal channels and run payloads that enabled credential theft, MFA fatigue bypass, and device footholds.
• Now contained? Microsoft revoked the offending certificates and pushed service-side mitigations—this reduces but does not eliminate risk. Phishing via Teams/Slack/Email continues.
• Business impact if exploited: account takeover, BEC, data exfiltration, and ransomware staging. MTTR rises if chat telephony & app sideloading are open.

What Happened

Operators impersonated vendors/support to initiate unsolicited Teams chats, then steered targets to open links or “support tools.” Fraudulent certificates (identity & code-signing) were used to add perceived legitimacy—some payloads were signed or hosted under names that passed casual checks. Once the lure landed, the flow moved to token theft, password harvesting, or a remote-access foothold.

Microsoft’s action: revocation of the identified certificates, back-end detections tuned, and takedowns on related infrastructure. Revocation breaks trust chains and should cause SmartScreen/Defender reputation warnings and loader failures in updated environments.

How the Attack Chain Worked

1. Initial Access (Human-operated): unsolicited Teams message → urgency + impersonation → request to “verify access,” install “support client,” or visit a signed download.
2. Execution: user launches signed or LOLBin-side-loaded payload; some variants used mshta, rundll32, or “self-update” stagers.
3. Credential/Session Theft: browser cookies, Teams tokens, or OAuth consent abuse; MFA fatigue or device-code flows pushed.
4. Persistence & Lateral Movement: scheduled tasks, run keys, remote tools; mailbox rules & OAuth apps for BEC.

Who Is Affected

• Any Microsoft 365 tenant with external Teams chats enabled and insufficient phishing education or conditional access guardrails.
• Endpoints allowing unsigned driver installs or lax application control (App Control for Business/AppLocker disabled).
• Orgs not enforcing modern auth/MFA step-up and continuous access evaluation.

Detections You Can Run Now

Microsoft 365 Defender – Suspicious Teams Initiations

// Advanced Hunting (KQL)
ChatMessageEvents
| where Platform == "MicrosoftTeams"
| where MessageDirection == "Inbound"
| where SenderFromExternalTenant == true
| where MessageSummary has_any ("support", "verification", "emergency", "payment", "invoice")
| summarize dcount(AccountUpn), make_set(SenderTenantId, 10) by bin(Timestamp, 1h), RecipientTenantId
| order by Timestamp desc

Defender for Endpoint – Signed-but-Suspicious Launch

DeviceProcessEvents
| where InitiatingProcessFileName in~ ("Teams.exe","ms-teams.exe")
| where (ProcessCommandLine has_any ("mshta","rundll32","powershell","curl","bitsadmin"))
| extend sig = tolower(SignatureStatus)
| where sig in ("signedinvalid","unsigned","expired") or (Signer ne "" and VerifiedSigner != "Signed")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, Signer, VerifiedSigner

Sigma-style (generic)

title: Teams Initiated LOLBin Execution
logsource:
  product: windows
  category: process_creation
detection:
  selection_parent:
    ParentImage|endswith: '\Teams.exe'
  selection_proc:
    Image|endswith:
      - '\mshta.exe'
      - '\rundll32.exe'
      - '\powershell.exe'
  condition: selection_parent and selection_proc
level: high

Emergency Actions (Do These Today)

1. Block unsolicited external Teams chats or restrict to an allow-list of verified partner domains.
2. Re-prompt MFA on risk: Conditional Access + sign-in risk policies; enable Continuous Access Evaluation.
3. Application control: turn on App Control for Business (WDAC) or AppLocker for “allow-by-default-deny-unknown” on admin workstations.
4. Hunt & clean: run the queries above; remove suspicious OAuth apps, stale consent grants, and anomalous mailbox rules.
5. SmartScreen/ASR: enforce “Block all Office child processes,” script abuse, and credential stealing ASR rules.
6. Awareness push: 48-hour “Do not trust unsolicited Teams support messages” banner to staff.

Incident Response Mini-Playbook (Teams Phish)

• Contain: disable involved accounts, revoke sessions, force password reset, invalidate refresh tokens.
• Scope: search tenant for the sender tenant IDs and chat threads; enumerate new consented apps and mailbox rules in last 7 days.
• Forensics: preserve browser cookie DBs, Teams cache, and DeviceProcessEvents for affected hosts.
• Eradication: remove persistence (tasks/run-keys), uninstall rogue apps, reimage if kernel-level indicators appear.
• Lessons Learned: tighten external chat policy; add verified supplier listing; simulate similar lures quarterly.

Stay Ahead of Adversaries

Get our rapid-fire threat briefs (US/EU/UK/AU/IN) the moment campaigns evolve.Subscribe on LinkedIn

Editor’s Picks — vetted tools for blue teams

• Kaspersky Security — endpoint hardening against trojans & RATs.
• TurboVPN — safe split-tunnel for remote investigations.
• Rewardful — programmatic referral tracking for security tools business units.

Disclosure: We may earn commissions from some links. We recommend only what we use or test.

Next Reads

• Threat Intel — Adversary Tradecraft
• Microsoft 365 — Defenses & Detections
• Incident Response — Playbooks

Tags: #CYBERDUDEBIVASH #ThreatIntel #VanillaTempest #MicrosoftTeams #CertificateRevocation #SocialEngineering #BEC #OAuthAbuse #MFAFatigue #US #EU #UK #AU #IN