{"id":8565,"date":"2026-06-23T12:08:59","date_gmt":"2026-06-23T12:08:59","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=8565"},"modified":"2026-06-23T12:08:59","modified_gmt":"2026-06-23T12:08:59","slug":"unpatched-sharepoint-servers-opened-the-door-to-multiple-attackers-microsoft-finds","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=8565","title":{"rendered":"Unpatched SharePoint servers opened the door to multiple attackers, Microsoft finds"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

What began as a routine ransomware investigation uncovered two unrelated attackers operating inside the same victim network at the same time, each obscuring the other\u2019s activity and complicating the response.<\/p>\n

The discovery emerged during a Microsoft Detection and Response Team (DART) engagement involving Storm-2603, a threat actor associated with ransomware deployment. Investigators initially believed they were tracking a single intrusion before identifying a separate attack chain involving a different set of tools, infrastructure, and objectives.<\/p>\n

\u201cThis case highlights a growing reality: modern attacks are not always isolated events. Sometimes they are overlapping campaigns,\u201d Microsoft said<\/a> in its latest cyberattacks series report.<\/p>\n

The company said activity linked to one actor initially obscured evidence associated with the other, complicating efforts to determine the full scope of the compromise and reconstruct the attack timeline.<\/p>\n

\u201cOnly by correlating identity, endpoint, and cloud telemetry together did the full scope of the attack become clear,\u201d the report added.<\/p>\n

The investigation ultimately expanded beyond the original environment and led DART to identify a second compromised organization connected to the broader attack chain, according to Microsoft.<\/p>\n

Two attackers, one environment<\/h2>\n

The investigation began after attackers exploited vulnerabilities in on-premises SharePoint servers and established persistence inside the victim environment.<\/p>\n

Microsoft attributed that activity to Storm-2603, which used Cloudflare Tunnel, Zoho Assist, Visual Studio Code Remote SSH, and Velociraptor during the intrusion. The actor also created unauthorized administrator accounts and used a vulnerable driver to disable security controls before deploying ransomware, the report said.<\/p>\n

As investigators reconstructed the attack timeline, they identified activity that did not align with the ransomware operator\u2019s tactics, techniques, and procedures.<\/p>\n

Further analysis uncovered what Microsoft described as a separate intrusion. According to the report, the second actor used DLL sideloading techniques, custom backdoors, VPN access through virtual private server infrastructure, and attempted access to Active Directory credential databases.<\/p>\n

Microsoft said the activity represented a separate attack chain operating within the same environment.<\/p>\n

\u201cTwo distinct threat actors operated simultaneously within the same environment,\u201d Microsoft said in its report, with each one masking the other and obscuring the full scope of the intrusion.<\/p>\n

Overlapping intrusions are more common than vendors admit, said Vibhum Dubey, an independent cybersecurity researcher and red teamer.<\/p>\n

\u201cMost incident responders hesitate to conclude that multiple unrelated actors are operating in the same environment, so they may spend considerable time trying to build a single coherent kill chain from what are actually separate intrusions,\u201d Dubey said.<\/p>\n

Two groups landing on the same exposed SharePoint server is rarely coordinated, he said, but \u201ctwo separate groups scanning the same CVE feeds and getting lucky around the same window.\u201d The result, he added, is \u201csame environment, zero shared intent.\u201d<\/p>\n

That overlap is also what makes such cases hard to untangle, Dubey said.<\/p>\n

How the breach spread<\/h2>\n

The investigation widened when forensic evidence showed the attackers had moved beyond the first network. DART contacted a second organization and confirmed it had been hit by the same Storm-2603 ransomware activity, showing the actor\u2019s reach extended beyond the first victim.<\/p>\n

Containment is where overlapping intrusions bite hardest, Dubey said. Evicting one group and rotating credentials can tip off a second actor that was never fully scoped. \u201cActor B, who you never fully scoped, goes loud because you just shook their environment,\u201d he said. What DART got right, he added, was using threat intelligence to separate the artifact clusters before acting, \u201cthe discipline that made the difference.\u201d<\/p>\n

DART contained both intrusions using a structured response playbook, the report said, pulling telemetry from identities, endpoints, and cloud services into a single view to spot abnormal behavior, flag credential misuse, and track the attackers. It briefed the affected customer daily and worked with Microsoft Threat Intelligence to confirm the two actors were active in parallel. Only by \u201ccorrelating identity, endpoint, and cloud telemetry together,\u201d Microsoft said, did the full scope of the attack become clear.<\/p>\n

What enterprises should take away?<\/h2>\n

Microsoft urged organizations to prioritize patching for internet-facing systems, especially on-premises SharePoint, and to treat privileged identities as a primary attack surface, with tighter controls and monitoring.<\/p>\n

It also recommended deploying endpoint protection broadly, centralizing telemetry, restricting remote-access and developer tools that attackers abuse, and keeping tested incident response playbooks ready to isolate compromised accounts quickly.<\/p>\n

For Dubey, the root cause is simpler than the forensics that followed: \u201can internet-facing box sat unpatched long enough for more than one actor to walk through the door.\u201d Everything after that, he said, \u201cwas downstream of that single failure.\u201d<\/p>\n

Microsoft did not immediately respond to a request for comment.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

What began as a routine ransomware investigation uncovered two unrelated attackers operating inside the same victim network at the same time, each obscuring the other\u2019s activity and complicating the response. The discovery emerged during a Microsoft Detection and Response Team (DART) engagement involving Storm-2603, a threat actor associated with ransomware deployment. Investigators initially believed they […]<\/p>\n","protected":false},"author":0,"featured_media":8566,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-8565","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8565"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=8565"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/8565\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/8566"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=8565"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=8565"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=8565"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}