Microsoft has issued an urgent security warning about an ongoing, high-impact cyber campaign targeting on-premises SharePoint servers. The attacks are actively compromising critical systems across government, healthcare, and enterprise organisations, with threat actors already installing backdoors and exfiltrating sensitive cryptographic material.

The Immediate Threat

Two critical vulnerabilities are being exploited in what security experts are calling a sophisticated, multi-wave attack:

CVE-2025-53770 ("ToolShell"): Critical vulnerability (CVSS 9.8) allowing unauthorised remote code execution
CVE-2025-53771: Important vulnerability (CVSS 6.3) enabling network-based spoofing attacks

The scale is alarming. Dutch security firm Eye Security detected dozens of systems being actively compromised in coordinated attack waves on 18th and 19th July, with exploitation continuing across multiple time zones.

Why This Attack Is Different

This isn't a typical opportunistic cyber campaign. The sophistication level suggests well-resourced threat actors with specific strategic objectives:

Bypassing Modern Security Controls

Attackers are circumventing multi-factor authentication (MFA) and single sign-on (SSO) systems – security measures that organisations rely on as their primary defence against unauthorised access.

Stealing Cryptographic Keys

Rather than just gaining access, attackers are extracting SharePoint's internal cryptographic keys, including the MachineKey used to secure critical ASP.NET state information. With these keys, they can:

• Forge legitimate-looking authentication tokens
• Execute code remotely without detection
• Maintain persistent access even after patches are applied
  
  

Lateral Movement Potential

SharePoint's deep integration with Microsoft's ecosystem (Office, Teams, OneDrive, Outlook) means a compromise doesn't stay contained – it opens pathways to entire organisational networks.

Organisations Must Assume Compromise

Microsoft's guidance is unusually stark: organisations with internet-facing SharePoint servers should assume they have been compromised.

The recommended immediate actions include:

1. Rotate all cryptographic material
2. Engage professional incident response teams
3. Deploy endpoint detection and response (EDR) solutions
4. Consider disconnecting SharePoint from the internet
5. Investigate for signs of prior compromise, even if patches have been applied
   
   
   

The Patching Challenge

Whilst Microsoft has released security updates for SharePoint Subscription Edition and SharePoint 2019, no patches are yet available for SharePoint 2016 – leaving thousands of organisations vulnerable until an emergency out-of-cycle update is released.

Even more concerning, the nature of this attack means that patching alone may not be sufficient. Stolen cryptographic keys could allow attackers to maintain access even after vulnerabilities are fixed.

Enterprise Impact Assessment

The implications for affected organisations are severe:

Data Exfiltration: Sensitive corporate, customer, and operational data stored in SharePoint is at immediate risk

Compliance Violations: Healthcare, government, and financial organisations may face regulatory penalties for data breaches

Business Continuity: Critical business processes dependent on SharePoint collaboration tools could be disrupted

Network Compromise: Initial SharePoint access often leads to broader network infiltration

Intellectual Property Theft: Corporate documents, strategic plans, and proprietary information could be stolen

Immediate Response Actions

Organisations running on-premises SharePoint must take urgent action:

For IT Teams

• Immediately assess all SharePoint servers for signs of compromise
• Apply available patches for SharePoint 2019 and Subscription Edition
• Implement network segmentation to limit potential lateral movement
• Enable comprehensive logging and monitoring for suspicious activity
• Rotate service account credentials and cryptographic material
  
  

For Security Teams

• Deploy EDR solutions on all SharePoint servers if not already present
• Configure Windows AMSI integration for SharePoint environments
• Monitor network traffic for unusual outbound connections
• Review access logs for unauthorised authentication attempts
• Implement additional network controls around SharePoint infrastructure
  
  

For Business Leaders

• Engage incident response professionals immediately
• Notify legal and compliance teams of potential data exposure
• Prepare stakeholder communications about potential service impacts
• Review cyber insurance coverage for potential claims
• Consider temporary service restrictions until security is confirmed
  
  
  

Long-Term Security Considerations

This attack highlights fundamental challenges in securing complex enterprise collaboration platforms:

Legacy System Risks: Organisations running older SharePoint versions face extended vulnerability windows

Integration Complexity: Deep system integrations create cascading security risks when one component is compromised

Patch Management: Critical systems often can't be immediately updated due to business requirements

Threat Evolution: Attackers are increasingly targeting collaboration platforms that contain vast amounts of sensitive business data

How altiacyber Can Help

At altiacyber, we understand that incidents like this SharePoint campaign require immediate, expert response and long-term security improvements.

Immediate Incident Response

Vulnerability Assessment: Rapid evaluation of your SharePoint infrastructure to identify compromise indicators and security gaps

Penetration Testing: Comprehensive testing of your SharePoint environment to identify additional vulnerabilities before attackers find them

Red Teaming: Advanced simulation of this attack scenario to test your organisation's detection and response capabilities

Long-Term Protection

Endpoint Protection: Advanced monitoring and protection for critical collaboration infrastructure

Perimeter Defences: Network security measures to detect and prevent unauthorised access to SharePoint servers

Security Compliance Management: Ensure your collaboration platforms meet industry security standards and regulatory requirements

Ongoing Monitoring

Cloud Security: For organisations considering migration to SharePoint Online, comprehensive cloud security implementation

Mail Security: Protection against phishing campaigns that often follow successful infrastructure compromises

The Broader Warning

The SharePoint campaign represents a concerning escalation in attacks against enterprise collaboration platforms. As remote work has made these systems more critical than ever, they've become high-value targets for sophisticated threat actors.

Organisations can no longer treat collaboration platform security as a secondary concern. SharePoint, Teams, and similar systems contain the intellectual property, strategic communications, and sensitive data that define modern businesses.

Don't wait for the next vulnerability disclosure to assess your security posture.

Concerned about your SharePoint security or need immediate incident response support?
Contact us for expert assistance in securing your collaboration infrastructure and responding to potential compromises.

Contact us at innovate@altiatech.com or call +44 (0)330 332 5482