Sharepoint

Cisco Talos IR’s Q3 2025 report highlights a sharp rise in compromises that began with exploitation of on‑premises Microsoft SharePoint via the ToolShell chain. More than 60% of Talos engagements involved exploitation of public‑facing apps, and almost 40% showed ToolShell activity; ransomware dropped to ~20% of cases while post‑exploitation phishing from compromised accounts continued to climb (Talos IR Q3 2025). Microsoft confirms active, multi‑actor abuse of new SharePoint bugs (CVE‑2025‑53770, CVE‑2025‑53771) related to earlier July CVEs (CVE‑2025‑49704, CVE‑2025‑49706), and stresses that only on‑prem servers are affected—not SharePoint Online (Microsoft Security TI, MSRC customer guidance). CISA added CVE‑2025‑53770 to the KEV catalog, underscoring exploitation in the wild (CISA KEV entry).

Cisco Talos Incident Response reports that over 60% of their Q3 2025 engagements began with exploitation of public‑facing applications, driven largely by the ToolShell attack chain against on‑premises Microsoft SharePoint; roughly 40% of all engagements involved ToolShell activity. Talos also saw more post‑compromise phishing launched from valid internal accounts and a marked emphasis on segmentation and rapid eviction to contain spread. Ransomware made up about 20% of cases, with actors observed deploying a SharePoint webshell (notably spinstall0.aspx) and, in at least one case, abusing Velociraptor for persistence. Talos IR Q3 2025.