Bypass Record

Code-Signing Abuse × Microsoft Artifact Signing

A publicly-reported instance of Code-Signing Abuse bypassing Microsoft Artifact Signing, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft Artifact Signing

Technique

Code-Signing Abuse

MITRE ATT&CK

T1553.002

Confidence

High

Severity

High

Status

in the wild

Disclosed

2026-05-20

Config / version noted

Not stated

Provenance

cybersecuritynews.com
disclosed 2026-05-20 · original source · via brave
www.techtimes.com
disclosed 2026-05-22 · original source · via raw

Reported as

exploited Microsoft's Artifact Signing infrastructure to digitally sign malicious code... bypass endpoint security defenses that trust Microsoft-signed binaries

Mechanism

Attackers used the Fox Tempest service to obtain valid digital signatures from Microsoft's Artifact Signing infrastructure for malware. Signed malware appears legitimate to security tools that rely on code-signing trust, defeating reputation-based and signature-based detection on endpoints.

Detection & mitigation

Monitor for binaries signed by Microsoft's Artifact Signing service that exhibit suspicious behaviors (e.g., unusual network connections, process injections) or originate from non-standard locations. Enforce application control policies to restrict execution to only trusted, verified software and ensure endpoint detection rules flag anomalies in signed binaries.

Code-Signing Abuse has also been recorded against

Apple DigiCert Kaseya

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.