Organizations running on-premises SharePoint servers face a critical security threat as sophisticated attackers actively exploit newly discovered vulnerabilities. Recent campaigns, primarily from China-based groups like Linen Typhoon, Violet Typhoon, and Storm-2603, target unpatched servers using advanced spoofing and remote code execution flaws. These exploits do not affect SharePoint Online, but on-premises environments are highly vulnerable until patched.
How Attackers Breach and Persist
The initial attack phase involves reconnaissance and a crafted POST request targeting SharePoint endpoints. This enables attackers to bypass authentication and execute code on the server. Once inside, they deploy persistent web shells (frequently variants of spinstall0.aspx) to maintain access and facilitate further malicious actions. Attackers seek out and steal ASP.NET MachineKeys, disable security features, and use a range of techniques to expand their foothold and evade detection, including:
- Disabling Microsoft Defender protections through registry edits
- Achieving persistence via scheduled tasks and manipulated IIS components
- Harvesting credentials with tools like Mimikatz by targeting LSASS memory
- Moving laterally using PsExec and Impacket over WMI
- Deploying ransomware (notably Warlock) by modifying Group Policy Objects
These activities align with key MITRE ATT&CK tactics, exploitation of public-facing applications, credential access, privilege escalation, defense evasion, and ransomware deployment, all raising the stakes for defenders.
Mitigation: What Security Teams Must Do Now
Microsoft strongly recommends immediate action for all organizations operating on-premises SharePoint:
- Upgrade to supported SharePoint versions and apply the latest security patches
- Enable Antimalware Scan Interface (AMSI) and deploy Defender Antivirus in Full Mode on every SharePoint server
- Rotate ASP.NET MachineKeys and restart IIS after patching or enabling AMSI
- Deploy Microsoft Defender for Endpoint or equivalent solutions to detect and block post-exploit activity
- Restrict or disconnect internet access for servers where AMSI cannot be enabled until patched
- Implement and test incident response plans in preparation for potential ransomware activity
- Turn on cloud-delivered protection, endpoint detection and response (EDR) in block mode, and enable attack surface reduction rules and tamper protection
Further recommendations include enabling LSA protection, Credential Guard, and controlled folder access to limit attacker movement and prevent data theft.
Detection and Threat Hunting: Tools and Best Practices
Microsoft provides a robust set of indicators of compromise (IOCs) and hunting queries to help defenders detect exploitation and post-exploit activity. Security teams should watch for suspicious files like spinstall0.aspx and IIS_Server_dll.dll, associated hashes, URLs, and malicious IP addresses. Leveraging Microsoft Defender XDR, Sentinel, and Threat Intelligence tools is critical for effective monitoring and hunting.
- Use prebuilt and custom queries in Defender and Sentinel to detect web shell activity, credential theft, lateral movement, and ransomware deployment
- Employ Defender Vulnerability Management to identify and track remediation of affected devices by CVE
- Utilize External Attack Surface Management (Defender EASM) to find exposed, internet-facing SharePoint instances requiring urgent action
Continuous monitoring and rapid remediation are essential to stay ahead of evolving attack techniques.
Takeaway: Proactive Security is Non-Negotiable
The rapid weaponization of SharePoint vulnerabilities by advanced threat actors highlights the critical need for proactive patch management, layered defenses, and ongoing threat hunting. Organizations delaying updates or neglecting Microsoft’s guidance risk severe data breaches and ransomware incidents. Microsoft’s unified security ecosystem (spanning detection, intelligence, and remediation) empowers defenders, but immediate action is required to mitigate the current wave of attacks.
If you operate on-premises SharePoint, act decisively: patch all servers, enable AMSI and Defender, rotate keys, and leverage the latest detection tools to protect your environment from active threats.
How to Respond to Actively Exploited SharePoint Vulnerabilities: Immediate Steps for Security Teams