Unraveling the SharePoint Vulnerability: Deep Dive into Persistence, Detection Techniques, and Key Learnings
In recent months, cyber attackers have been targeting SharePoint servers using sophisticated techniques to establish persistent access and extract sensitive data. This news article will delve into the tactics, detections, and mitigation strategies employed in the ongoing ToolShell campaign.
Case Studies
Asian Telecommunications Provider
On July 17, attackers exploited the vulnerabilities CVE-2025-53770 and CVE-2025-53771 on Microsoft SharePoint Servers, using in-memory .NET execution to avoid disk-based artifacts. Initial access was followed by the modification of registry keys to execute a reflective DLL at startup, establishing a persistent foothold within the system.
U.S. Energy Sector Firm
The initial entry occurred on July 18, 2025, from IP address [redacted], followed by lateral movement to a domain controller via stolen SharePoint service account credentials. Despite the application of Microsoft's emergency patches on July 19, attackers regained access 48 hours later due to stolen MachineKey, highlighting the need for immediate countermeasures.
European University
On July 19, attackers exploited CVE-2025-53770, dropping a modified PowerShell payload with AMSI-disabling logic. A scheduled task was then created to execute this payload every 30 minutes, maintaining Command and Control (C2) communication.
Persistence Mechanisms
The main persistence mechanism in the ToolShell campaign involves the creation of malicious ASPX web shells. These web shells are uploaded via crafted HTTP requests, exploiting vulnerabilities and bypassing authentication. Once uploaded, they remain accessible on the server, allowing for further command execution.
Attackers also exploit SharePoint's ViewState and authentication flaws to forge ViewState payloads, bypassing authentication and session validation. This stealthy persistence method enables them to maintain access without re-exploiting the vulnerabilities.
Detection Strategies
To detect ToolShell campaign activities, security teams should monitor for suspicious HTTP requests with spoofed Referer headers targeting vulnerable endpoints. They should also scan for anomalous or unknown .aspx files in SharePoint directories, especially newly created or modified web shell files like spinstall0.aspx.
Endpoint detection tools such as Microsoft Defender for Endpoint can be used to identify malicious behaviors or payloads linked to these exploits. Additionally, hunting for unusual cryptographic key usage or unexpected modification of __VIEWSTATE tokens and SharePoint server ASP.NET machine keys can help uncover ToolShell activity.
Mitigation Measures
To effectively mitigate ToolShell threats, it is crucial to apply the latest Microsoft security patches for SharePoint Server. These patches were released on July 19 for SharePoint Server 2019 and Subscription Edition, followed by SharePoint 2016 on July 22. However, end-of-life versions (SharePoint 2010 and 2013) remain vulnerable with no patches available.
Rotating SharePoint Server ASP.NET machine keys is another essential measure to prevent attackers from forging ViewState payloads. Ensuring Antimalware Scan Interface (AMSI) is enabled and configured properly with antivirus solutions can also help detect and block malicious script execution.
Limiting internet exposure of SharePoint servers, enforcing strong network segmentation, and access controls can further reduce the exploitation risk, as about 6% of self-hosted SharePoint instances are internet-facing.
Finally, continuous threat hunting using Indicators of Compromise (IoCs) shared in threat intelligence reports specific to the ToolShell exploit chain targeting SharePoint can help security teams stay ahead of this evolving threat.
In summary, the ToolShell campaign poses a significant threat to SharePoint servers, exploiting authentication bypass flaws and ViewState to establish persistent access. Detection relies on monitoring for abuse of key endpoints and file anomalies, while immediate patching, key rotation, and endpoint protection are critical to mitigating these threats effectively.
- The ToolShell campaign employs malicious ASPX web shells as its primary persistence mechanism, uploading them via crafted HTTP requests to bypass authentication and remain accessible.
- In the Asian Telecommunications Provider case, attackers exploited CVE-2025-53770 and CVE-2025-53771 to establish a persistent foothold within the system.
- European universities can be targeted by the ToolShell campaign as well, with attackers exploiting CVE-2025-53770 and dropping a modified PowerShell payload for continuous Command and Control communication.
- Safety measures in the technology industry need to include the application of the latest Microsoft security patches for SharePoint Server, particularly for SharePoint Server 2019, Subscription Edition, and 2016.
- The U.S. energy sector has been under threat from the ToolShell campaign, with attackers regaining access 48 hours after the application of emergency patches due to stolen MachineKey.
- In the realm of education-and-self-development, students and practitioners should be aware of the ToolShell campaign's tactics and the importance of regularly updating their systems to prevent their SharePoint servers from being exploited.
- Threat hunters can utilize Indicators of Compromise (IoCs) shared in threat intelligence reports specific to the ToolShell exploit chain targeting SharePoint to stay ahead of this evolving threat.
- The financial industry should prioritize the implementation of endpoint detection tools such as Microsoft Defender for Endpoint to identify malicious behaviors or payloads linked to these exploits.
- In the sports sector, it is vital to implement strong network segmentation and access controls to further reduce the risk of SharePoint server exploitation, as about 6% of self-hosted SharePoint instances are internet-facing.
