Unpatched SharePoint servers opened the door to multiple attackers, Microsoft finds
Microsoft's Detection and Response Team (DART) uncovered two separate, unrelated threat actors simultaneously operating inside the same victim network after unpatched on-premises SharePoint servers were exploited. Storm-2603 deployed ransomware using tools like Cloudflare Tunnel and Velociraptor, while a second actor used DLL sideloading, custom backdoors, and attempted Active Directory credential theft. The overlapping intrusions obscured each other, complicating detection and response. DART resolved the case by correlating identity, endpoint, and cloud telemetry. The investigation expanded to a second compromised organization. Key takeaways include prioritizing patching of internet-facing systems, centralizing telemetry, and maintaining tested incident response playbooks.