When SharePoint Becomes the Entry Point

June 24, 2026 Faeem BLOGS, MICROSOFT, SharePoint 0

Overview

Microsoft has detailed a sophisticated cyberattack campaign targeting unpatched on-premises SharePoint servers, highlighting how a single vulnerable system can become the gateway to a much broader compromise.

The attacks, attributed primarily to a threat group known as Storm-2603, demonstrate that modern ransomware incidents are rarely just about encryption. Instead, they often involve long-term persistence, credential theft, lateral movement, and multiple threat actors operating simultaneously within the same environment.

For organisations still running on-premises SharePoint, the message is clear: patching delays can create opportunities for attackers to gain deep and lasting access.

Attack Breakdown

The attackers gained initial access by exploiting known SharePoint vulnerabilities, including:

  • CVE-2025-49706
  • CVE-2025-49704
  • CVE-2025-11371

Once inside, the threat actors quickly established persistence and began mapping the environment.

Microsoft’s investigation revealed the use of several legitimate tools often abused by attackers, including:

  • Velociraptor for reconnaissance and data collection
  • Cloudflare Tunnels for covert remote access
  • Zoho Assist for remote administration
  • Visual Studio Code with SSH connectivity for command and control

To strengthen their foothold, the attackers created additional local and domain administrator accounts, ensuring continued access even if their initial entry point was discovered.

Beyond Ransomware

What makes this case particularly interesting is that ransomware was only one part of the attack.

Investigators discovered a second, unrelated threat actor operating inside the same environment at the same time.

This second actor deployed custom backdoors and leveraged DLL sideloading techniques that differed from Storm-2603’s known tactics.

More concerning was the theft of the NTDS.dit database, which contains Active Directory credentials. Access to this data can allow attackers to compromise user accounts, escalate privileges, and move laterally throughout an organisation.

The presence of two independent threat actors significantly complicated detection and response efforts, with each actor’s activities helping to obscure the other’s presence.

Advanced Evasion Techniques

The attackers also leveraged a growing trend known as Bring Your Own Vulnerable Driver (BYOVD).

By loading a vulnerable driver called NSecKrnl.sys, they were able to gain kernel-level access and interfere with security controls.

This technique is increasingly popular among advanced threat actors because it allows them to disable endpoint protection solutions without triggering traditional security alerts.

The result is a far stealthier attack that can remain undetected for extended periods.

Recommendations for Organisations

Organisations operating on-premises SharePoint environments should prioritise the following actions:

  • Apply all SharePoint security updates immediately.
  • Review internet-facing systems for known vulnerabilities.
  • Monitor for the creation of unexpected administrator accounts.
  • Audit remote access tools and software regularly.
  • Deploy endpoint protection across all servers and workstations.
  • Centralise security telemetry for improved visibility.
  • Implement privileged access management controls.
  • Test incident response procedures before an incident occurs.

Security teams should also closely monitor for signs of credential theft and unusual administrative activity.

Expert in the Cloud Insight

This incident reinforces a reality many organisations are now facing: attackers are no longer focused on a single objective. A ransomware payload may be the most visible outcome, but it is often only one component of a much larger operation.

What stands out in this case is the attackers’ use of legitimate administration tools and cloud services. Many organisations focus heavily on malware detection while overlooking trusted tools that can be abused after compromise.

The presence of two separate threat actors within the same environment also highlights the importance of comprehensive visibility. Without correlating identity, endpoint, server, and cloud telemetry, defenders may only see a fraction of the attack unfolding.

For organisations still operating on-premises collaboration platforms, patch management remains one of the most effective security controls available. Every unpatched internet-facing application represents an opportunity for attackers to gain access, establish persistence, and move deeper into the environment.

Expert in the Cloud – The Future Is Now

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.