Microsoft disrupted Fox Tempest, an operation that fraudulently obtained Microsoft Authenticode signing certificates and resold them to threat actors deploying Rhysida ransomware, Lumma Stealer, and Vidar infostealer. All fraudulent certificates have been revoked, but organizations must audit for prior compromise, enforce certificate revocation checking, and apply application control policies to prevent recurrence.