Critical Exploitation of Microsoft SharePoint Zero-Day Vulnerabilities Escalates Globally
Threat actors have been actively exploiting newly disclosed zero-day vulnerabilities in Microsoft SharePoint Server since early July 2025, targeting government, telecommunications, and technology sectors across North America and Western Europe. The pace and sophistication of these campaigns have intensified, evolving from initial unauthorized access toward deployment of ransomware and advanced webshells. Urgent security guidance and updated detection measures have been released to help organizations mitigate this threat.
Technical Details of the Exploitation Chain
The exploitation involves a chain of two critical vulnerabilities:
- CVE-2025-49706: a network spoofing flaw, allowing unauthenticated attackers to spoof network traffic and impersonate trusted sources that communicate with SharePoint servers.
- CVE-2025-49704: a remote code execution (RCE) vulnerability that enables malicious actors to execute arbitrary code on the targeted server once network spoofing is achieved.
This chained attack, referred to as “ToolShell,” grants attackers the ability to gain broad access to affected on-premise SharePoint instances. Successful exploitation allows unauthorized retrieval of SharePoint content, exfiltration of files, manipulation of internal configurations, and persistent administrative-level access.
Observed Tactics, Techniques, and Procedures
Security researchers have tracked exploitation attempts originating from three distinct IP addresses. At least one address had previous links to malware operations targeting enterprise mobility management infrastructure, highlighting the adaptive capabilities of the threat actors involved.
Attackers have been observed:
- Planting custom .aspx, .exe, and .dll webshells for remote access and persistence.
- Deploying ransomware payloads post-compromise, indicating monetization as a final objective in some incidents.
- Rapidly adapting exploit tactics in response to newly published mitigations and security tool signatures.
The initial attack wave began around July 7 and escalated on July 18–19, with ongoing campaigns confirmed as of July 24.
At-Risk Sectors and Recommended Actions
Most incidents to date have targeted high-value organizations in:
- Government (including major Western governments)
- Telecommunications providers
- Technology infrastructure operators
Organizations using on-premise SharePoint deployments are at elevated risk, especially if public-facing or accessible from the Internet.
Security authorities urge immediate action:
- Apply Microsoft’s latest patches and follow updated hardening guidance for SharePoint servers.
- Disable unnecessary network interfaces and restrict remote administrative access.
- Scan for newly deployed and potentially malicious webshells or suspicious file modifications.
- Monitor for indicators of credential theft and lateral movement following initial exploitation.
Continued vigilance is recommended, as attacker techniques and payloads are evolving rapidly in response to defensive measures.
Threat Actor Campaign Targets End-of-Life SonicWall SMA 100 Appliances with Backdoor and Bootkit Attacks
A sophisticated cybercriminal campaign has been observed targeting end-of-life SonicWall SMA 100 remote access appliances. Threat actors are exploiting multiple vulnerabilities to gain persistent access, deploying custom bootkits to modify the device’s startup process, and implanting backdoors for continued remote control. This campaign presents a severe risk to organizations still operating unsupported SonicWall equipment.
Technical Execution of the Attack
Researchers report that adversaries are chaining several vulnerabilities—some long known and unpatched due to the device’s end-of-life status—to breach SMA 100 appliances. After initial access, attackers:
- Modify the device’s firmware and boot sequence, effectively installing a bootkit that persists even after device resets.
- Deploy backdoors that enable command-and-control (C2) operations, allowing for data exfiltration, further lateral movement, or future malware delivery.
- Work to evade detection by traditional endpoint solutions, leveraging the lack of ongoing vendor support and signature updates for these appliances.
Implications and Risk Profile
The continued use of unsupported remote access hardware greatly increases exposure to both commodity and targeted attacks. Because bootkits operate at the firmware level, compromise may not be reversible by standard reimaging or patching techniques. This enables ongoing surveillance, interception of VPN or RDP traffic, and the staging of future attacks against enterprise infrastructure.
The campaign has affected sectors ranging from small businesses to critical infrastructure operators, where legacy appliances are frequently still deployed due to cost or operational considerations.
Defensive Measures and Recommendations
Security professionals strongly advise:
- Immediate decommissioning and replacement of all end-of-life SMA 100 appliances with vendor-supported alternatives.
- Thorough inspection of any legacy devices for presence of backdoors or unexpected firmware changes before disposal.
- Network segmentation strategies to restrict the impact of potential compromised edge devices.
- Enhanced monitoring for suspicious outbound connections originating from remote access infrastructure.
Organizations should regard continued use of unsupported devices as a critical vulnerability in their attack surface.
Belk Data Breach and the Rise of Retail-Focused Cybercrime Groups
The North Carolina-based retailer Belk suffered a significant data breach after a cybercriminal collective known as DragonForce claimed responsibility. This incident is part of a wider trend of aggressive campaigns targeting both U.K. and U.S. retail and e-commerce organizations. The breach highlights the expanding ambitions and technical sophistication of these groups as they seek various monetization paths from stolen retailer and customer data.
Attack Overview and Methods
DragonForce, previously associated with attacks in other regions, reportedly exfiltrated internal datasets from Belk, potentially including customer and payment information. The group utilized techniques such as exploiting vulnerable web-facing applications and pivoting through internal systems to locate high-value targets for data theft.
Technical Analysis of the Attack
Indicators suggest the attackers employed a blend of:
- Exploitation of web application vulnerabilities for initial access
- Credential harvesting and internal privilege escalation
- Automated data exfiltration to offshore infrastructure
Although the full technical details have not been publicly disclosed, attack patterns are consistent with broader emerging threats in the retail sector, including targeting of point-of-sale (POS) systems and backend e-commerce servers.
Wider Impact and Mitigations
This breach is indicative of retail’s continuing attractiveness to organized cybercriminals due to the concentration of financial and personal records.
- Retailers are encouraged to prioritize detection and remediation of web application threats, especially via regular penetration testing and attack surface management.
- Implementation of strong multi-factor authentication (MFA) and network segmentation remains essential for reducing attack impact.
- Ongoing staff training and secure development lifecycle practices are crucial defenses against these evolving campaigns.
Scattered Spider’s Expanding Tactics: From Retailers to Airlines and Beyond
The cybercrime collective known as Scattered Spider has shifted its attack strategies, expanding beyond traditional retail and insurance targets to new sectors, including airlines and critical infrastructure. Microsoft and other security analysts have observed a change in both the group’s targeting profile and arsenal of attack techniques, which increasingly include the use of social engineering and deep technical exploitation.
Evolving Technical Tactics
Scattered Spider’s activities now feature:
- Creative use of multi-stage phishing and social engineering to compromise both user credentials and IT administrative access.
- Adoption of living-off-the-land (LOTL) techniques, using built-in system tools and legitimate remote management systems to evade security controls and blend into normal network activity.
- Combining credential theft with targeted exploitation of infrastructure, such as VPN endpoints and cloud identity management systems.
The group’s playbook demonstrates an advanced understanding of enterprise defenses, relying less on commodity malware and more on highly tailored access and reconnaissance.
Sectoral Impact and Defensive Posture
The pivot to airline and large-scale industrial targets marks an escalation in Scattered Spider’s ambitions and potential for operational disruption, signaling a wider trend of organized cybercrime targeting sectors with mission-critical services and sensitive consumer data.
Organizations are encouraged to:
- Implement robust identity verification and adaptive authentication for all sensitive administrative workflows.
- Continuously monitor user and entity behavior analytics (UEBA) for early signs of account misuse or privilege escalation.
- Enhance incident response playbooks to address evolving, low-and-slow intrusion tactics used by modern cybercrime groups.
AI-Powered Cyberattacks Accelerate as CISOs Prioritize AI Security Risks
Chief Information Security Officers (CISOs) are increasingly prioritizing defenses against AI-driven attacks as threat actors rapidly integrate artificial intelligence into offensive operations. A recent industry report finds a marked increase in incidents involving AI-powered phishing, malware generation, and security bypass techniques. Simultaneously, CISOs see the promise of AI-driven defense, though tensions remain around the dependability and explainability of automated security agents.
Trends in AI-Driven Attacks
The adoption of artificial intelligence by attackers includes:
- Use of generative AI for crafting highly realistic spear-phishing emails that bypass traditional detection.
- Automated vulnerability discovery and exploit generation, accelerating the identification and weaponization of zero-day vulnerabilities.
- Development of AI-powered evasion techniques, such as dynamic code mutation and context-sensitive payload delivery that adapts in real time to security environments.
Enterprise Response and Defensive Challenges
In response, CISOs are pushing for:
- Integration of AI-driven detection and response systems capable of scaling with adversarial AI advancements.
- Continuous validation and risk assessment of AI-powered agents for flaws or unintended behaviors that could expose new attack vectors.
- Increased collaboration with AI and machine learning teams to embed security by design in all enterprise automation projects.
Despite these measures, concerns remain about the reliability and transparency of black-box AI system decisions in high-stakes security contexts.
Economic and Operational Fallout of Major Cyberattack Against UNFI
United Natural Foods, Inc. (UNFI), a major North American grocery distributor and supplier for companies such as Whole Foods, has confirmed that a recent cyberattack will result in at least $350 million in lost sales. The attack caused widespread disruption to supply chain operations, delaying deliveries and restoring critical systems over several weeks.
Attack Details and Impact
While technical details of the breach have not been disclosed, the incident underscores the operational risk posed by modern ransomware and destructive attacks on large-scale logistics providers. The attack led to substantial downtime in core systems, impacting inventory, billing, and fulfillment processes for UNFI’s extensive retail network.
Lessons for Supply Chain Cybersecurity
This incident accentuates the need for:
- Business continuity and disaster recovery measures capable of supporting rapid restoration in the face of ransomware or destructive incidents.
- Comprehensive cyber risk assessments for all third-party and supply chain partners.
- Segmentation and rigorous hardening of operational technology (OT) and enterprise IT systems to minimize blast radius of successful attacks.
The event has prompted renewed scrutiny of supply chain cyber risk across the food and logistics industries.
Global Catastrophic Cyber Event: Emerging Research on Systemic Infrastructure Risk
A new study from Munich Re and CyberCube research highlights the potentially devastating consequences of a “catastrophic cyber event” striking global digital infrastructure. With interconnected dependencies between IoT devices, large language models, and critical networks, the report warns that a single coordinated attack could trigger cascading failures on a global scale, disrupting essential services and the world economy.
Key Threat Scenarios and Findings
The analysis identifies plausible threats including:
- Exploitation of vulnerabilities in globally deployed IoT devices, leading to synchronized attacks against power grids, transportation, and financial networks.
- Weaponization of large language models (LLMs) as part of attack automation, making it easier for threat actors to orchestrate and coordinate multifaceted assaults.
- Breakdown of trust in fundamental internet infrastructure, such as DNS, PKI, and authentication services, with ripple effects in both public and private sectors.
Implications for Risk Management
The report calls on governments, insurers, and enterprises to:
- Model and prepare for extreme but plausible cyber risk scenarios that go beyond traditional single-organization breaches.
- Expand real-time inter-organizational cyber threat intelligence sharing to speed detection and coordinated response.
- Invest in robust redundancy and failover mechanisms to ensure continuity of essential services in the event of systemic digital disruption.
The findings point to an urgent need for board-level attention to systemic cyber risk and digital resilience strategies.
