ToolShell-led SharePoint intrusions in Q3 2025: a practitioner’s playbook for forensics, detection, and rapid eviction
Cisco Talos Incident Response reports that over 60% of their Q3 2025 engagements began with exploitation of public‑facing applications, driven largely by the ToolShell attack chain against on‑premises Microsoft SharePoint; roughly 40% of all engagements involved ToolShell activity. Talos also saw more post‑compromise phishing launched from valid internal accounts and a marked emphasis on segmentation and rapid eviction to contain spread. Ransomware made up about 20% of cases, with actors observed deploying a SharePoint webshell (notably spinstall0.aspx) and, in at least one case, abusing Velociraptor for persistence. Talos IR Q3 2025.