SharePoint Breach Is Just the Beginning

SharePoint Breach Is Just the Beginning

In July 2025, attackers exploited a zero-day vulnerability in Microsoft SharePoint, compromising thousands of organizations across multiple industries. What made this attack particularly dangerous was its ability to bypass conventional security controls, including multi-factor authentication (MFA), firewalls, and endpoint defenses.

But the breach wasn’t just a technical failure, it was a visibility failure. Most organizations didn’t know they were under attack until it was too late. This incident underscores a growing reality:

Cybercriminal tactics are evolving faster than traditional defenses can adapt.

The New Playbook of Modern Cybercrime

Today’s threat actors are no longer relying on outdated malware or brute-force techniques. Instead, they are deploying highly coordinated, multi-stage attack chains that exploit gaps in cloud architecture, identity management, and trusted third-party platforms. The recent zero-day vulnerabilities exploited in SharePoint, Fortinet FortiWeb, and CrushFTP serve as clear examples of this evolution. These incidents demonstrate how adversaries increasingly bypass traditional security measures, not through volume, but through stealth, speed, and the exploitation of systemic weaknesses in core enterprise infrastructure.

“This lose-lose situation is compounded by the Clorox lawsuit against Cognizant, which could establish precedent-setting liability for third-party cybersecurity failures. Having recorded evidence of help desk workers literally handing network access to cybercriminals creates an indefensible legal position that will likely reshape how we think about outsourcing critical security functions”. — James Azar, July 25, 2025

In this evolving threat landscape, it's not just systems at risk, it's accountability. Organizations must not only defend against advanced threats but also reassess how they delegate and monitor critical functions across their supply chain and cloud ecosystems.

1. Zero-Day Exploits

As demonstrated across all three incidents, cybercriminals are quick to weaponize zero-day vulnerabilities before vendors can release fixes, often catching organizations off guard and unprepared. These attacks result in unauthorized access, privilege escalation, and in many cases, complete system compromise.

  • In the mid-July 2025 SharePoint breach tied to CVE‑2025‑53770 (“ToolShell”), attackers exploited a vulnerability in the ToolPane.aspx endpoint to achieve unauthenticated remote code execution, completely circumventing login workflows, including MFA and SSO. They deployed malicious web shells (e.g., spinstall0.aspx), escalated privileges, and exfiltrated cryptographic keys and internal configuration data. By abusing trusted system processes such as w3wp.exe and PowerShell, the attackers evaded signature-based detection and maintained persistent, stealthy access within affected environments.

  • In the Fortinet FortiWeb breach, tied to CVE‑2025‑25257, attackers exploited a pre-authenticated SQL injection vulnerability in the Fabric Connector module. Malicious SQL queries issued through specially crafted HTTP headers enabled remote code execution, allowing the attackers to deploy payloads and compromise web application firewall infrastructure, all while bypassing traditional detection controls.

  • In the CrushFTP breach tied to CVE‑2025‑54309, a validation flaw in the AS2 module was exploited to gain unauthenticated administrative access to backup systems. Attackers were able to fully compromise environments, including Microsoft 365 backup integrations, bypassing authentication, manipulating files, executing privileged commands, and escaping detection entirely.

2. Bypassing MFA and Identity Controls

Even modern authentication mechanisms like MFA are no longer foolproof. Attackers are increasingly leveraging session hijacking, token theft, and OAuth abuse to impersonate legitimate users. 

3. Exploitation of Cloud Misconfigurations

Misconfigurations in cloud platforms such as Microsoft 365, AWS, and Google Drive continue to expose organizations to risk. Adversaries actively search for over-permissive roles, publicly accessible files, and abandoned accounts to move laterally within environments.

4. Living-Off-the-Land (LotL) Techniques

Rather than introducing new malware, modern attackers often weaponize native system tools to remain hidden. Utilities like PowerShell, Microsoft Graph API, and built-in administrative scripts are frequently used to execute malicious commands, exfiltrate data, and establish persistence, all without triggering endpoint or antivirus alerts. Both the SharePoint and Fortinet incidents demonstrated how attackers exploited these “trusted” processes to operate below the radar of conventional defenses.

Large Enterprises Appear to Be Highly Successful in Defending Against These Attacks—How Do They Do It?

Despite the rise in advanced threats and zero-day exploits, Fortune 100 companies and other large enterprises, especially major financial institutions, have demonstrated remarkable resilience. Their success is not the result of relying on any single tool, but rather the implementation of a layered, strategic cybersecurity model that integrates technology, human expertise, and continuous vigilance.

In situations where it’s no longer possible to block every intruder at the perimeter, effective defense depends on a holistic approach, one that spans both cloud and on-premise environments and incorporates threat intelligence, continuous monitoring, and real-time response. These organizations have made cybersecurity a foundational element of their operations, with key practices that include:

  • 24/7 Security Operations Centers (SOC): Fortune 100 companies employ dedicated teams of analysts who monitor systems in real time, not just for known malware, but for behavioral anomalies and lateral movement.

  • Extended Detection and Response (XDR): Unlike legacy EDR, XDR gives visibility across cloud, endpoints, identity systems, and user activity, helping detect subtle attacks like those used in the SharePoint incident.

  • Proactive Threat Hunting: Skilled teams aren’t waiting for alerts, they’re actively looking for early  indicators of compromise, such as unusual access patterns, anomalous login activity, or unexpected spikes in data transfer.
  • Active Response and Containment: When suspicious behavior is identified, security teams take swift action to isolate affected systems, disable compromised accounts, and contain the threat, often before the incident escalates.

  • Vulnerability Management at Scale: Critical vulnerabilities are identified and patched rapidly, and unpatchable systems are segmented or monitored through compensating controls.

These practices go far beyond traditional defenses and have proven effective at reducing both dwell time and blast radius, even when zero-days or insider threats are involved.

Why Do Cyberattacks Continue to Breach Defenses?

For mid-sized businesses and under-resourced IT teams, these advanced tactics create a perfect storm. Here’s why attackers continue to win:

  • Blind Spots in Cloud Environments: Most organizations lack centralized visibility across Microsoft 365, Google Workspace, AWS, and on-premises environments, creating fragmented security coverage and critical blind spots. Advanced attacks like the SharePoint ToolShell breach (CVE-2025-53770) thrive in these gaps, bypassing traditional defenses by exploiting isolated systems and unmonitored application layers.

  • Alert Fatigue and Staffing Shortages: Overwhelmed teams often ignore or delay investigation into alerts, especially when there’s no clear context or correlation.

  • Misplaced Reliance on Point Solutions: Firewalls, antivirus, and EDR are not enough. Without correlation, threat intelligence platforms, and human oversight, attackers slip through unnoticed.

  • Delayed Patch Cycles: Even after vulnerabilities are disclosed, delays in patching, due to business disruption, compatibility concerns, or lack of resources, leave critical doors wide open.

  • Lack of Incident Response Preparedness: Many businesses don’t have defined plans for containment, communication, or recovery, extending the impact of breaches and increasing costs.

The Domino Effect of a Zero-Day

After a high-profile breach like the SharePoint ToolShell incident, organizations should prepare for a cascade of follow-on threats. Once a zero-day exploit becomes public knowledge, threat actors, ranging from sophisticated state-sponsored groups to low-level cybercriminals, race to replicate and weaponize the technique. Public proof-of-concept code, exploit kits, and tutorials begin circulating on underground forums, dramatically increasing the number of attackers capable of launching similar campaigns. Meanwhile, many organizations, hindered by operational backlogs or legacy systems, delay applying available patches. These lagging patch cycles provide a ripe window of opportunity for opportunistic attackers scanning the internet for vulnerable systems.

Our Innovative Approach to Solving This Problem

At Secnap, we recognized the increasing complexity and scale of cyber threats facing businesses today, and understood the need for a comprehensive cybersecurity solution that not only emulates the advanced defense strategies of Fortune 100 companies but is also affordable and scalable for organizations of all sizes. In response, we developed CloudJacket MDR, a multi-layered Managed Detection and Response solution that combines cutting-edge technology and human expertise to protect your organization from a wide range of cyber threats including malware, ransomware, data breaches, unauthorized access, and other sophisticated attacks.

CloudJacket MDR continuously monitors your network, endpoints, devices, and cloud environments, using an integrated combination of advanced technologies to identify potential threats before they become breaches. Upon detecting a threat, our team of highly-skilled security specialists investigates and takes swift action to contain and neutralize the threat, ensuring a real-time response even when new or highly sophisticated attack methods are used.

CloudJacket MDR is more than just a security tool, it is a comprehensive security platform that provides an all-encompassing, multi-layered cybersecurity solution that mirrors the robust defenses employed by Fortune 100 companies:

  • Unparalleled Visibility: CloudJacket MDR provides not only traditional endpoint detection and response (EDR) but also Extended Detection and Response (XDR) capabilities. This gives your organization a unified, comprehensive view of activity across all endpoints, networks, cloud environments, and user behavior. This visibility ensures early detection of suspicious activity, and the ability to identify and prevent potential breaches before they escalate.
  • Comprehensive Data Collection: CloudJacket MDR employs both software agents (lightweight and multi-purpose, installed on endpoints such as laptops, desktops, servers, cloud instances, and virtual machines) and agentless monitoring (for firewalls, switches, routers, etc.), to gather data from all critical sources across your infrastructure ensuring no potential threat goes unnoticed. Powered by a next-generation SIEM, it correlates billions of events in real-time to surface true threats and eliminate alert fatigue.
  • Advanced Threat Detection: Utilizing cutting-edge threat intelligence engines and machine learning, CloudJacket MDR identifies and neutralizes even the most sophisticated cyberattacks.  Its eXtended Intelligence engine analyzes network traffic, user behavior, and activity across both endpoint and cloud environments to detect anomalies and uncover potential threats. By analyzing millions of data points daily, CloudJacket MDR effectively distinguishes real threats from noise, presenting these threats to our U.S.-based Security Operations Center (SOC) analysts for final analysis via our proprietary SOC dashboard.
  • Proactive Threat Hunting: Unlike passive systems that only react to alerts, CloudJacket MDR includes proactive threat-hunting, where our team of experts actively searches for vulnerabilities and potential attack vectors before they can be exploited, significantly reducing the likelihood of successful cyberattacks.
  • Compliance Management: Today most industries are subject to a myriad of complex compliance regulations. CloudJacket simplifies compliance by providing automated reporting and documentation, ensuring your organization remains compliant with relevant regulations.
  • Eliminating Alert Fatigue—24/7/365 SOC: CloudJacket MDR is backed by a dedicated Security Operations Center (SOC) that operates 24/7/365. Our highly trained security professionals monitor your environment around the clock, providing real-time threat detection, investigation, and response. This helps eliminate the burden of sifting through hundreds or even thousands of alerts, which would otherwise overwhelm your IT staff. With CloudJacket MDR, you gain access to a team of experts who can effectively respond to any security incident, ensuring your organization is always protected.

With CloudJacket MDR, you gain an unparalleled blend of protection, detection, and response capabilities, all bundled into one powerful package. CloudJacket MDR provides state-of-the-art protection against malware, ransomware, data breaches, unauthorized access, and other sophisticated attack vectors. But more than that, our solution offers peace of mind, allowing you to focus on what matters most—achieving your strategic goals with confidence that your critical systems and data are protected around the clock.

Explore CloudJacket MDR and learn more about how it can safeguard your organization: https://www.secnap.com/cloudjacket

Don’t Let Visibility Gaps Be Your Weakness

Cyber threats are becoming increasingly sophisticated—faster, stealthier, and more intelligent than ever before. Traditional defenses can’t keep pace. The solution isn’t piling on more disconnected tools; it’s achieving deeper visibility, richer context, and the ability to respond with speed and precision.

CloudJacket MDR brings the same multi-layered defense strategy used by the world’s most secure enterprises, designed and priced for businesses of all sizes.

Start protecting your business now, before a breach exposes the gaps.

Call (844) 638-7328 or visit our website: www.secnap.com

We think you might find these interesting

Let our experts help you find the best solution for your needs.

Schedule a free consultation