Microsoft disrupted a series of Rhysida ransomware attacks in early October by revoking over 200 certificates linked to malicious Teams installers.
The attacks were orchestrated by the Vanilla Tempest group, which used deceptive domains like teams-install[.]top and teams-download[.]buzz to deliver fake MSTeamsSetup.exe files, infecting victims with the Oyster backdoor.
Fake Teams Download
This activity was part of a malvertising campaign in late September, leveraging search ads and SEO poisoning to spread counterfeit Teams installers carrying Oyster malware (also known as Broomstick and CleanUpLoader).
When run, these fake installers triggered a chain of attacks, beginning with an initial loader that delivered the Oyster backdoor, a powerful piece of malware that Vanilla Tempest has been actively deploying since June 2025.
When run, the rogue Teams installers activated a loader that deployed the signed Oyster malware, giving attackers remote access to compromised systems. This enabled them to steal data, execute commands, and deliver additional malicious software.
Microsoft Responded In a Systematic Manner
Microsoft responded with a multi-layered approach – revoking compromised certificates and strengthening Microsoft Defender Antivirus to detect and block fake installers, Oyster backdoor, and Rhysida ransomware.
Enterprise users benefited from enhanced Microsoft Defender for Endpoint detections, monitoring for tactics like unusual network activity and privilege escalation linked to Vanilla Tempest’s methods.
This incident highlights the ongoing threat posed by supply chain attacks amid widespread reliance on remote work tools like Teams, as cybercriminals exploit user trust in reputable brands.
Although Microsoft’s quick certificate revocation stopped further abuse, experts caution that such attacks could reappear using new certificate authorities.