TL;DR:
- A patch is now available—apply it urgently.
- Eye Security and WatchTowr provided early visibility into exploitation.
- Threat actor used new infrastructure; attribution remains unclear.
- Use threat hunting queries and IOCs in the appendix to check for exposure.
What Happened?
Microsoft raised the alarm on CVE-2025-53770, a critical vulnerability actively exploited in on-premises SharePoint servers. Importantly, SharePoint Online in Microsoft 365 remains unaffected—your cloud-based collaboration is safe (at least from this one!). Attackers leveraged a chain of vulnerabilities to execute remote commands without authentication—essentially busting through your digital front door without even knocking.
Why Did It Happen?
Because SharePoint let them. More specifically, attackers exploited unauthenticated access flaws in SharePoint Server 2016 and 2019 (CVE-2025-49704 & CVE-2025-49706), allowing them to drop webshells and snatch machine keys.
Why Did It Happen That Way?
Attackers went after SharePoint’s public-facing attack surface, exploiting configuration drift, delayed patching, and weak segmentation. Some orgs had their SharePoint exposed to the internet like a neon sign flashing: “Free Admin Access, No Login Required!”
Who Did It?
There is no confirmed attribution. The infrastructure used appears newly stood up. The early IPs observed—107.191.58[.]76 and 104.238.159[.]149—are registered to Constant Company LLC, a provider linked to Vultr and known for hosting VPN/proxy services, including Oculus.
There was also no notable chatter in underground forums, suggesting a tightly held exploit—classic zero-day behavior. This wasn’t someone guessing passwords or phishing interns—this was precision.
Possible Motivation
Why SharePoint? Because it’s often full of juicy internal documents, sensitive communications, and sometimes even forgotten credentials. For espionage-motivated actors, it’s an ideal entry point into a broader network. For financially motivated groups, SharePoint can serve as a springboard for ransomware deployment or extortion tactics. Gaining access to a collaboration system means gaining context—and that’s power.
Real-World Impact & Case Studies
Eye Security reported telemetry from over 8,000+ public-facing SharePoint instances, flagging widespread exposure. WatchTowr followed with in-depth technical analyses. If your org is running exposed, unpatched SharePoint, you’re rolling dice in a thunderstorm.
Preventive Measures:
- Apply Microsoft’s latest security patch.
- Ensure AMSI integration is enabled (added by default from Sept 2023).
- Deploy Defender AV and/or Defender for Endpoint.
- Audit external SharePoint exposure via Shodan/FOFA.
- Monitor PowerShell activity and webshell patterns.
- Rotate compromised machine keys if signs of exploitation are present.
Microsoft’s Updated Protective Measures: Microsoft recommends:
- Enabling AMSI (via Sept 2023 or 23H2 updates).
- Running Defender Antivirus for detections such as:
Exploit:Script/SuspSignoutReq.ATrojan:Win32/HijackSharePointServer.A
- Using Defender for Endpoint for alerts like:
- Possible exploitation of SharePoint server vulnerabilities
- Suspicious IIS worker behavior
- Blocked Sharpyshell or spinstall0.aspx activity
MITRE ATT&CK Framework Mapping:
| Tactic | Technique ID | Description |
|---|---|---|
| Initial Access | T1190 | Exploit Public-Facing Application |
| Execution | T1059.001 | PowerShell |
| Persistence | T1556 | Modify Authentication Process |
References & Further Reading:
Appendix: IOCs, Patterns & Threat Hunting Queries
| Indicator Type | Value |
| IP Address | 107.191.58[.]76 – First wave, July 18, 18:06 CET (Low confidence infrastructure tie to Oculus via Constant Company LLC) |
| IP Address | 104.238.159[.]149 – Second wave, July 19, 07:28 CET (Same registration, low confidence) |
| User-Agent | Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0 |
| Encoded UA | Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64;+rv:120.0)+Gecko/20100101+Firefox/120.0 |
| Exploit Path | /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx |
| Referer | _layouts/SignOut.aspx |
| GET Path | /layouts/15/spinstall0.aspx |
| SHA256 | 92bb4ddb98eeaf11fc15bb32e71d0a63256a0ed826a03ba293ce3a8bf057a514 |
| File Path | C:\PROGRA~1\COMMON~1\MICROS~1\WEBSER~1\16\TEMPLATE\LAYOUTS\spinstall0.aspx |
KQL (Microsoft Defender):
DeviceFileEvents
| where FolderPath has "MICROS~1\\WEBSER~1\\16\\TEMPLATE\\LAYOUTS"
| where FileName =~ "spinstall0.aspx" or FileName has "spinstall0"
| project Timestamp, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, FileName, FolderPath, ReportId, ActionType, SHA256
| order by Timestamp desc
Elastic (EQL):
file where file.name : "spinstall0.aspx" and file.path : "*\\TEMPLATE\\LAYOUTS\\*"
Additional Shodan Queries for Attack Surface:
http.favicon.hash:-1212451249 "Microsoft SharePoint"
http.title:"Outlook Web App" port:"443" org:"<OrgName>"
“Automate the boring stuff before attackers automate your headaches.”
Thirdeye Intelligence 