Microsoft has recently revoked over 200 fraudulent certificates linked to the threat actor Vanilla Tempest, previously known as Storm-0832, which has been active since July 2022. These certificates were utilized to sign malicious binaries for ransomware campaigns, notably delivering the Rhysida ransomware through fake Microsoft Teams setup files hosted on malicious domains. The company has enhanced its security solutions to flag these fraudulent signatures following the detection of the campaign in late September 2025. This incident underscores the ongoing threat of SEO poisoning and the exploitation of user trust in well-known brands, emphasizing the importance of downloading software only from verified sources. The broader significance lies in the need for robust cybersecurity measures to counter evolving ransomware tactics targeting unsuspecting users.