Relief included order directing domain name registrar to bar access to offending domain name.

Microsoft sued four John Doe defendants, alleging they ran a sophisticated criminal enterprise built around abusing Microsoft’s code-signing infrastructure. Code-signing certificates are cryptographic credentials that vouch for the authenticity of software, allowing operating systems such as Windows to treat signed files as trusted.

According to the complaint, two of the defendants created more than 580 fraudulent Microsoft tenants to access Microsoft’s Artifact Signing service and then sold the resulting certificates to the other two defendants and other cybercriminals, who used them to disguise malware as legitimate software. Microsoft asserted claims under RICO, the Computer Fraud and Abuse Act, and the Lanham Act, along with state law claims for breach of contract, trespass to chattels, and unjust enrichment.

After obtaining an ex parte TRO earlier in the month, Microsoft asked the court to convert that relief into a preliminary injunction. The requested order would bar defendants from accessing the Artifact Signing service, trafficking in fraudulently obtained certificates, signing malware, and using Microsoft’s trademarks, while also directing GoDaddy and hosting provider Cloudzy to keep a domain name used in the enterprise out of defendants’ hands.

The court granted the preliminary injunction in full. The court found Microsoft likely to succeed on the merits across its statutory and common law claims, and concluded that continued operation of the scheme would cause irreparable harm to Microsoft’s reputation, its customers, and the public.

The opinion catalogs hallmarks of contemporary cybercrime operations: shell companies and forged government IDs used to bypass identity checks, certificates marketed through Telegram and Google Forms, spoofed Microsoft Teams installers pushed via SEO poisoning and malicious ads, and infrastructure spread across a commercial registrar and an offshore hosting provider.

The court also noted that prior self-help by Microsoft, including the revocation of more than 200 certificates in October 2025, had not stopped the defendants, supporting the need for judicial intervention to seize the domain name and preserve the hosted virtual machines.

Microsoft Corp. v. Does, 2026 WL 1453668 (S.D.N.Y. May 22, 2026)