Cyber experts have disclose a way to exploit Microsoft’s Trusted Signing service to sign malware with short-lived three-day certificates, giving their malicious software a layer of legitimacy and helping it bypass security defenses.
Why Code-Signing Matters to Hackers
Code-signing certificates are highly valuable to cybercriminals as they allow malware to appear as if it comes from a legitimate, trusted source. Signed malware can often evade security filters that flag unsigned executables, making it easier for attackers to distribute their malicious software.
One of the most sought-after certificates is the Extended Validation (EV) code-signing certificate. These are considered more trustworthy because they require rigorous verification processes. Many cybersecurity tools and Microsoft SmartScreen grant higher trust to software signed with EV certificates, reducing the likelihood of users encountering warnings when running the application.
However, obtaining an EV certificate is challenging for cybercriminals. They typically need to steal them from legitimate businesses or create fake companies, which requires significant effort and financial resources. Additionally, once an EV certificate is linked to malware, it is revoked, rendering it useless for future attacks.
Trusted Signing Service
Recently, security researchers have observed hackers abusing Microsoft’s Trusted Signing service to sign their malware using three-day certificates issued by “Microsoft ID Verified CS EOC CA 01.”
Although these certificates expire after three days, any executable signed with them remains valid unless the certificate is explicitly revoked. Security experts have discovered multiple malware campaigns leveraging this tactic, including the Crazy Evil Traffers crypto-theft malware and the Lumma Stealer.
What is Microsoft Trusted Signing?
Microsoft launched the Trusted Signing service in 2024 to help developers easily sign their software with a Microsoft-managed certification authority. This cloud-based platform offers a streamlined code-signing process for IT professionals and developers.
Key features of the service include:
A $9.99 monthly subscription for developers
Public and private trust signing options
Built-in timestamping service
Short-lived certificates that reduce security risks
A SmartScreen reputation boost for signed applications
Microsoft designed the platform to enhance security by preventing developers from directly handling certificates. This approach reduces the risk of certificate theft in case of a breach. However, the same system is now being misused by threat actors.
To mitigate abuse, Microsoft enforces strict eligibility requirements for company-issued certificates. Organizations must be in business for at least three years to qualify. However, individuals can sign up more easily, provided they use certificates issued under their own name.
Why Hackers Prefer Microsoft’s Service
Cybersecurity researcher ‘Squiblydoo,’ who has monitored malware-related certificate abuse for years, suggests that hackers are shifting to Microsoft’s signing service due to its convenience.
“For a long time, using EV certificates was the standard,” Squiblydoo explained. “However, Microsoft announced changes to EV certificates, leading to confusion among both attackers and legitimate users. Given the ambiguity, many attackers find Microsoft’s certificates easier to obtain.”
Compared to EV certificates, Microsoft’s verification process is simpler, making it an attractive alternative for cybercriminals.
Microsoft’s Response
When contacted about the abuse, Microsoft stated that it actively monitors for threats and revokes certificates linked to malicious activity.
“We use active threat intelligence monitoring to detect misuse of our signing service,” Microsoft told security researchers. “When threats are identified, we take immediate action, including broad certificate revocation and account suspension.”
Additionally, Microsoft’s antimalware tools detect and mitigate malware samples signed through the exploited service.
Conclusion
The abuse of Microsoft’s Trusted Signing service highlights a broader issue in cybersecurity—how legitimate tools can be misused by attackers. Organizations must remain vigilant by:
Regularly updating security policies to account for new threats
Implementing strict execution policies to limit untrusted applications
Utilizing endpoint detection and response (EDR) solutions to spot anomalies
As Microsoft works to tighten security around its signing service, cybersecurity professionals must stay alert to evolving threats that leverage trusted platforms for malicious purposes. The discovery of this exploit serves as a reminder that even well-intended security measures can be weaponized in the wrong hands.
Follow us on 
(Twitter) for real time updates and exclusive content.
Interesting Article : UK’s NCSC Issues Roadmap for Post-Quantum Cryptography Transition