Unpatched on-premises SharePoint servers have become a prime target for sophisticated threat actors using known security flaws to break in, plant ransomware, and leave behind hidden backdoors.
These are not opportunistic smash-and-grab operations. They are calculated, multi-stage campaigns designed to stay inside a network for as long as possible, often without raising any alarms.
The threat group behind the primary wave of attacks, tracked as Storm-2603, has been actively targeting vulnerable SharePoint servers since at least mid-2025.
The group exploited publicly disclosed vulnerabilities, including CVE-2025-49706 and CVE-2025-49704, to gain an initial foothold.
Investigators also found evidence of probing activity tied to CVE-2025-11371, an unauthenticated local file inclusion flaw that allowed attackers to access sensitive system files and dig deeper into the victim’s environment.
Analysts from Microsoft’s Detection and Response Team (DART) identified the full scope of these attacks after a detailed investigation.
According to Microsoft report shared with Cyber Security News (CSN), Microsoft said the incident revealed a level of complexity well beyond a standard ransomware deployment, with two distinct threat actors operating inside the same environment at the exact same time.
What made this case especially difficult to unravel was that both actors were working in parallel, not sequentially. Each group’s activity was effectively masking the other’s, making it extremely hard for defenders to see the full picture.
Only by correlating data across identities, endpoints, and cloud activity were investigators finally able to piece together the complete attack chain.
The incident is part of Microsoft’s Cyberattack Series, No. 9, and highlights a growing trend where ransomware incidents are just the visible layer of a far more intricate compromise.
Organizations running older, unpatched versions of SharePoint on their own servers are particularly at risk, and the window to act is narrowing.
Once inside the network, Storm-2603 wasted no time setting up for a long-term stay. The group deployed Velociraptor, a legitimate forensic tool, running it with the highest system privileges to map the environment and collect data.
They then built out multiple remote access channels using Cloudflare tunnels, Zoho Assist for remote management, and Visual Studio Code to create SSH-based command-and-control connections.
To ensure they could not be easily removed, the attackers created new local and domain administrator accounts, giving themselves permanent access to the network.
They also loaded a vulnerable driver called NSecKrnl.sys to gain deep kernel-level access, allowing them to tamper with system memory and disable endpoint protection tools.
This method, known as Bring Your Own Vulnerable Driver (BYOVD), is a favored technique for switching off security software without triggering obvious alerts.
A second, unknown threat actor was also present, identified through malicious DLL sideloading and custom backdoors that did not match Storm-2603’s known methods.
This actor exfiltrated the NTDS.dit file, which stores all Active Directory credentials, by creating an archive called NTDS.zip across two separate devices. Lateral movement was then carried out between devices using WinRM, a legitimate Windows remote management protocol.
How Microsoft DART Responded and What Organizations Should Do
DART moved quickly once the investigation began, running daily briefings with the affected customer to share findings, flag new risks, and coordinate containment steps.
By combining telemetry from multiple security platforms with dedicated investigative tools, the team tracked attacker behavior across the entire environment and identified both parallel intrusion streams before further damage could spread.
The response also came with clear guidance for organizations looking to strengthen their defenses. Patching internet-facing systems, especially SharePoint servers, should be treated as an immediate priority.
Beyond patching, organizations are advised to treat high-privilege accounts as a prime attack surface, enforce tight identity controls, and monitor closely for unusual sign-in activity.
Deploying endpoint protection across all devices, retaining telemetry in a central location, and auditing remote access tools regularly are also essential steps. Incident response plans should be developed and fully tested before an attack unfolds, not scrambled together in the middle of one.
Indicators of Compromise (IoCs):-
| Type | Indicator | Description |
|---|---|---|
| Vulnerability | CVE-2025-49706 | SharePoint vulnerability exploited by Storm-2603 for initial access |
| Vulnerability | CVE-2025-49704 | SharePoint vulnerability exploited by Storm-2603 for initial access |
| Vulnerability | CVE-2025-11371 | Unauthenticated local file inclusion flaw used to access sensitive system files |
| File Name | NSecKrnl.sys | Vulnerable driver loaded for BYOVD kernel-level access and endpoint defense evasion |
| File Name | ulib.dll | Malicious DLL used for sideloading via replace.exe on Device A |
| File Name | srvcli.dll | Unsigned malicious DLL dropped to %LOCALAPPDATA%Temp and C:UsersPublicDocuments |
| File Name | NTDS.zip | Archive created by unknown actor containing exfiltrated NTDS.dit Active Directory credentials |
| File Name | NTDS.dit | Active Directory credential store targeted for exfiltration |
| File Name | win.ini | File requested during reconnaissance/probing phase |
| File Name | web.config | File requested during reconnaissance/probing phase indicating local file inclusion probing |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.