What began as a routine ransomware investigation uncovered two unrelated attackers operating inside the same victim network at the same time, each obscuring the other’s activity and complicating the response.
The discovery emerged during a Microsoft Detection and Response Team (DART) engagement involving Storm-2603, a threat actor associated with ransomware deployment. Investigators initially believed they were tracking a single intrusion before identifying a separate attack chain involving a different set of tools, infrastructure, and objectives.
“This case highlights a growing reality: modern attacks are not always isolated events. Sometimes they are overlapping campaigns,” Microsoft said in its latest cyberattacks series report.
The company said activity linked to one actor initially obscured evidence associated with the other, complicating efforts to determine the full scope of the compromise and reconstruct the attack timeline.
“Only by correlating identity, endpoint, and cloud telemetry together did the full scope of the attack become clear,” the report added.
The investigation ultimately expanded beyond the original environment and led DART to identify a second compromised organization connected to the broader attack chain, according to Microsoft.
Two attackers, one environment
The investigation began after attackers exploited vulnerabilities in on-premises SharePoint servers and established persistence inside the victim environment.
Microsoft attributed that activity to Storm-2603, which used Cloudflare Tunnel, Zoho Assist, Visual Studio Code Remote SSH, and Velociraptor during the intrusion. The actor also created unauthorized administrator accounts and used a vulnerable driver to disable security controls before deploying ransomware, the report said.
As investigators reconstructed the attack timeline, they identified activity that did not align with the ransomware operator’s tactics, techniques, and procedures.
Further analysis uncovered what Microsoft described as a separate intrusion. According to the report, the second actor used DLL sideloading techniques, custom backdoors, VPN access through virtual private server infrastructure, and attempted access to Active Directory credential databases.
Microsoft said the activity represented a separate attack chain operating within the same environment.
“Two distinct threat actors operated simultaneously within the same environment,” Microsoft said in its report, with each one masking the other and obscuring the full scope of the intrusion.
Overlapping intrusions are more common than vendors admit, said Vibhum Dubey, an independent cybersecurity researcher and red teamer.
“Most incident responders hesitate to conclude that multiple unrelated actors are operating in the same environment, so they may spend considerable time trying to build a single coherent kill chain from what are actually separate intrusions,” Dubey said.
Two groups landing on the same exposed SharePoint server is rarely coordinated, he said, but “two separate groups scanning the same CVE feeds and getting lucky around the same window.” The result, he added, is “same environment, zero shared intent.”
That overlap is also what makes such cases hard to untangle, Dubey said.
How the breach spread
The investigation widened when forensic evidence showed the attackers had moved beyond the first network. DART contacted a second organization and confirmed it had been hit by the same Storm-2603 ransomware activity, showing the actor’s reach extended beyond the first victim.
Containment is where overlapping intrusions bite hardest, Dubey said. Evicting one group and rotating credentials can tip off a second actor that was never fully scoped. “Actor B, who you never fully scoped, goes loud because you just shook their environment,” he said. What DART got right, he added, was using threat intelligence to separate the artifact clusters before acting, “the discipline that made the difference.”
DART contained both intrusions using a structured response playbook, the report said, pulling telemetry from identities, endpoints, and cloud services into a single view to spot abnormal behavior, flag credential misuse, and track the attackers. It briefed the affected customer daily and worked with Microsoft Threat Intelligence to confirm the two actors were active in parallel. Only by “correlating identity, endpoint, and cloud telemetry together,” Microsoft said, did the full scope of the attack become clear.
What enterprises should take away?
Microsoft urged organizations to prioritize patching for internet-facing systems, especially on-premises SharePoint, and to treat privileged identities as a primary attack surface, with tighter controls and monitoring.
It also recommended deploying endpoint protection broadly, centralizing telemetry, restricting remote-access and developer tools that attackers abuse, and keeping tested incident response playbooks ready to isolate compromised accounts quickly.
For Dubey, the root cause is simpler than the forensics that followed: “an internet-facing box sat unpatched long enough for more than one actor to walk through the door.” Everything after that, he said, “was downstream of that single failure.”
Microsoft did not immediately respond to a request for comment.
No Responses