Major zero-day vulnerabilities in Microsoft SharePoint have recently been exploited by threat actors, resulting in over 75 confirmed compromises across banks, universities, hospitals, businesses, and government agencies in North America and Europe. These flaws permit remote code execution and administrative access, raising concerns about enterprise security due to the central role SharePoint plays in business collaboration and file management. Recent attacks have gone beyond webshell implantation, with some incidents involving file encryption and ransomware deployment against compromised servers.
Critical Zero-Day Flaws Discovered in SharePoint
In July 2025, Microsoft publicly disclosed two high-severity vulnerabilities in its on-premises SharePoint Server—identified as CVE-2025-49704 (remote code execution) and CVE-2025-49706 (network spoofing). With CVSS scores of 9.8 and 7.1, these weaknesses allow unauthenticated attackers to bypass existing security controls. The flaws form a vulnerability chain, dubbed “ToolShell,” whereby adversaries achieve full system access, execute arbitrary code, and interact with sensitive business data across applications integrated with SharePoint.
Initial Compromises and Attack Execution
According to confirmed incident reports, exploitation began early in the month, and varied attack payloads have been observed. Alongside standard webshells (.aspx, .exe), forensic analysts discovered malicious Dynamic Link Libraries (.dlls) and customized scripts designed to evade detection. Once inside, adversaries harvest credentials, laterally move within affected environments, and sometimes deploy Warlock ransomware, encrypting files and disrupting business operations.
Scope of the Attack and Response Measures
The breadth of these attacks has affected a variety of sectors, including banking, education, public health, and enterprise IT. Several organizations experienced operational disruptions and potential data exposure. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft issued emergency guidance, urging rapid patch deployment and additional monitoring for suspicious activity across all on-premises SharePoint environments.
Technical Mitigations and Recommendations
Immediate patching of SharePoint systems remains the top mitigation step, followed by enhanced monitoring for unauthorized authentication attempts, unusual outbound connections, and the presence of webshell or non-standard DLL files. Security teams are advised to isolate Internet-facing SharePoint servers, review file integrity, and bolster logging. Microsoft has released detection rules and cleanup guidance, with continuous updates as attackers adapt techniques.
Ingram Micro, a leading global IT distributor, suffered a significant ransomware attack orchestrated by the SafePay group in early July 2025. The attack caused a multinational outage, impacting internal operations, online ordering, and customer platforms. Initial access was gained via compromised credentials on the company’s VPN, highlighting persistent vulnerabilities in remote access infrastructure despite widespread adoption of multifactor authentication.
SafePay Ransomware Operation Strikes Ingram Micro
On July 3, Ingram Micro detected ransom notes on employee endpoints, prompting an immediate investigation and shutdown of the company’s GlobalProtect VPN. The attack led to the suspension of core services, including the Xvantage and Impulse platforms, and disrupted supply chain management in North America, Europe, and Asia.
Attack Chain and Technical Entry Point
Forensic analysis indicates attackers used credentials stolen or phished from users with VPN access. While multifactor authentication was deployed, threat actors evaded controls—possibly via social engineering or session hijacking. Once inside, the SafePay group pivoted laterally, rapidly deploying ransomware payloads. Though the total volume of encrypted and exfiltrated data is under review, the operation triggered a coordinated password reset and system lockdown worldwide.
Incident Response and Recovery Processes
Ingram Micro enacted password resets, enforced new authentication policies, and prioritized restoration of order processing and customer communications. By July 8, many services had resumed with manual workarounds in place. Security experts attributed the attack to SafePay, a sophisticated operation linked to more than 200 major ransomware incidents in 2025 alone, with a notable spike in May.
Lessons Learned and Ongoing Mitigation
The incident underscores critical risks of credential-based attacks on remote access systems, even those with multifactor authentication. Recommendations for organizations include continuous assessment of VPN security posture, rigorous credential hygiene, and real-time monitoring for anomalous activity on remote access infrastructure in addition to regular incident response drills and ransomware readiness planning.
The persistent threat from advanced social engineering groups, highlighted by recent attacks on major retailers, airlines, and financial institutions, reveals that even multifactor authentication and security awareness training can be circumvented through targeted impersonation tactics. Scattered Spider, an established threat actor group, continues to leverage human vulnerabilities to bypass technical controls, resulting in breaches affecting millions of customers.
Social Engineering Attacks Target Help Desks and Identity Controls
In July 2025, high-profile incidents such as the compromise of data at an Australian airline—potentially impacting six million customers—demonstrated evolving attacker methodologies. Groups like Scattered Spider employ sophisticated pretexts to impersonate employees, contractors, or service providers in interactions with IT help desks and customer support teams. Their tactics enable them to reset credentials, reroute multifactor authentication prompts, and gain unauthorized network access.
Known Targets and Attack Vectors
Recent victims include major UK brands, global airlines, and retail chains. Attackers use phone calls, SMS phishing, and deepfake audio/video to establish credibility with IT personnel. After gaining initial access, they escalate privileges, install persistence mechanisms, and often access sensitive data, including customer records and payment systems.
Mitigation Strategies
Organizations are advised to implement stricter identity verification processes for help desk requests, deploy continuous behavioral analytics, and educate staff on the latest social engineering tactics. Zero trust models, requiring granular validation for privilege escalations and device enrollments, are increasingly recommended to limit the fallout from successful impersonation attacks.