DFIR field guide: Investigating ToolShell-driven SharePoint intrusions (Talos IR Q3 2025)
Cisco Talos IR’s Q3 2025 report highlights a sharp rise in compromises that began with exploitation of on‑premises Microsoft SharePoint via the ToolShell chain. More than 60% of Talos engagements involved exploitation of public‑facing apps, and almost 40% showed ToolShell activity; ransomware dropped to ~20% of cases while post‑exploitation phishing from compromised accounts continued to climb (Talos IR Q3 2025). Microsoft confirms active, multi‑actor abuse of new SharePoint bugs (CVE‑2025‑53770, CVE‑2025‑53771) related to earlier July CVEs (CVE‑2025‑49704, CVE‑2025‑49706), and stresses that only on‑prem servers are affected—not SharePoint Online (Microsoft Security TI, MSRC customer guidance). CISA added CVE‑2025‑53770 to the KEV catalog, underscoring exploitation in the wild (CISA KEV entry).