CyberBytes Daily

Trending cyberattacks, explained simply.

ransomware

How two unrelated attackers walked through the same unpatched SharePoint server simultaneously, each hiding the other

When Microsoft's incident response team was called in to investigate a ransomware attack, they expected to find one attacker. They found two, completely unrelated to each other, operating inside the same network at the same time. Neither group knew the other was there. But each group's activity made the other's harder to detect, creating a fog that nearly prevented investigators from understanding what had actually happened.

The door both groups walked through was an unpatched SharePoint server. The vulnerability, CVE-2026-45659, requires only the access level that most employees already have by default. Not administrator credentials. Not a phishing link clicked by an executive. Just a standard company login and a crafted request. That low bar is what made one open server into two simultaneous intrusions, a ransomware deployment, and a second victim organization that didn't know it had been compromised until Microsoft called.

There is a detail here that deserves to stop you: the patch for this vulnerability existed before either attacker got in. Microsoft shipped the fix in May 2026. But the CVE was accidentally left out of the patch release notes, so administrators who reviewed the update manifest saw no SharePoint vulnerability listed and had no reason to treat the update as urgent. A documentation error turned a solved problem back into an open door, and two separate threat actors walked through it.

Narrative · 7 min read

The Context

Microsoft SharePoint Server is the on-premises version of the collaboration and document management platform used by hundreds of thousands of organizations worldwide, including U.S. federal agencies. Unlike SharePoint Online (the cloud version included in Microsoft 365), on-premises SharePoint runs on servers that organizations manage themselves, which means they are also responsible for applying security patches. That distinction matters here: the cloud version was not affected by this vulnerability.

The attack documented in this post was investigated by Microsoft's Detection and Response Team (DART). What began as a routine ransomware investigation became something more unusual: evidence of two completely unrelated threat actors operating inside the same network simultaneously, both having entered through the same unpatched server.

The Attack, Phase by Phase

Phase 1: The Vulnerability and the Patch Gap

Microsoft disclosed CVE-2026-45659 on May 21, 2026, and included the fix in the May 2026 security updates. But the CVE was accidentally left out of the May Security Updates release notes. Administrators who reviewed the patch manifest saw no SharePoint vulnerability listed and had no reason to treat the update as urgent for SharePoint specifically.

This documentation error created a gap of roughly six weeks before CISA added the vulnerability to its Known Exploited Vulnerabilities catalog on July 1, 2026. During that window, unpatched servers remained exposed.

The vulnerability is straightforward to exploit. An attacker who crafts a malicious request and sends it to a SharePoint server triggers code execution on that server. The only requirement is a valid SharePoint account with Site Member permissions—the default access level for most employees. No administrator rights. No special knowledge of the target system. Microsoft rated the attack complexity as Low.

THE PATCH GAP WINDOW📋1May 21: patch releasedFix ships in May 2026 security updates⚠️2CVE omitted from release notesAdmins see no SharePoint CVE listed🕐3Six-week exposure windowUnpatched servers remain reachable🚪4July 1: KEV listing confirms exploitationTwo attackers already insideThe patch existed before either attacker got in. A documentation error kept it deprioritized.

Phase 2: Initial Access and Deep Persistence

Microsoft DART assessed that Storm-2603, the ransomware group responsible for one of the two intrusions, likely gained initial access through a separate critical vulnerability in Gladinet Triofox, a file-sharing product. Once inside, the group moved quickly to establish control that would survive detection and removal attempts.

Storm-2603 deployed Velociraptor, a legitimate forensic tool, with full system-level privileges to map the environment. They established redundant remote access channels using Cloudflare Tunnel, Zoho Assist, and Visual Studio Code Remote SSH—tools that blend into normal enterprise traffic and are rarely blocked. They created new local and domain administrator accounts, loaded a vulnerable kernel driver (NSecKrnl.sys) via BYOVD to disable endpoint security software, and harvested credentials using Mimikatz and LSASS memory scraping.

This is the pattern of an attacker who expects to be discovered and is building redundancy into every layer of access before the final stage.

STORM-2603 PERSISTENCE OPERATIONS🔍1Velociraptor deployed as SYSTEMMaps environment with forensic tool🌐2Three remote access channels openedCloudflare Tunnel, Zoho Assist, VS Code SSH👤3Admin accounts createdNew local and domain administrator accounts🛡️4Security software disabled via BYOVDNSecKrnl.sys loaded to blind endpoint tools🔑5Credentials harvestedMimikatz and LSASS memory scrapingLegitimate tools were used throughout, making each action individually difficult to flag as malicious.

Phase 3: Parallel Intrusion and Telemetry Masking

At the same time Storm-2603 was operating, a second, completely unrelated threat actor was inside the same network. This group used different techniques: DLL sideloading, custom backdoors, commercial VPN infrastructure, and attempts to access the domain credential database.

Neither group knew the other was present. But their combined activity created a problem for defenders: signals from each group were incomplete on their own, and when mixed together they appeared contradictory. Investigators trying to reconstruct a timeline found events that fit no single attacker's pattern. The two intrusion streams effectively masked each other.

Microsoft DART only separated the two streams by correlating data across identity systems, endpoint monitoring, and cloud telemetry simultaneously—and only after bringing in broader Microsoft Threat Intelligence for context not visible from inside the victim's environment.

SIMULTANEOUS INTRUSION STREAMS🔴1Storm-2603 activity streamVelociraptor, GPO modification, Mimikatz🟣2Second actor activity streamDLL sideloading, custom backdoors, VPN access🌫️3Signals mix and contradictNo coherent kill chain visible from alerts🔗4Cross-domain correlation requiredIdentity, endpoint, and cloud telemetry combinedTwo unrelated attackers sharing an environment created a detection problem neither would have caused alone.

Phase 4: GPO-Based Ransomware Deployment and Cross-Org Lateral Movement

Storm-2603 completed its attack by modifying Group Policy Objects to push Warlock ransomware to every computer in the domain simultaneously. GPO-based deployment is particularly damaging because it uses the same mechanism IT teams rely on to manage their environment: there is no unusual executable to block, just a policy change that looks like routine administration until encryption begins.

Forensic investigation then revealed that Storm-2603 had moved laterally into a second organization's network. Microsoft DART contacted that organization, which confirmed it had been compromised by the same ransomware activity. What appeared to be a single-organization incident had already crossed organizational boundaries before anyone knew to look.

RANSOMWARE DEPLOYMENT AND EXPANSION📜1GPOs modified domain-wideWarlock ransomware pushed to all machines🔒2Mass encryption beginsEvery domain-joined computer affected➡️3Lateral movement to second orgAttackers pivot beyond first victim network🏢4Second organization confirmed hitDART contacts and confirms compromise💸Ransomware deployedNetwork-wide encryption via GPO🏢Two orgs compromisedSecond victim identified post-forensics🌐Federal agencies at riskCISA issues three-day patch deadlineThe incident response scope doubled when forensic evidence revealed a second victim organization.

What Made This Possible

  1. A patch that existed but wasn't applied. The fix for CVE-2026-45659 was available before either attacker got in. The documentation error that omitted the CVE from the May release notes meant administrators had no clear signal to prioritize the update. A process failure in vulnerability communication negated the security value of a patch that already existed.

  2. A privilege bar low enough to include almost everyone. This vulnerability required only the default permissions granted to employees, contractors, and guests—making the authenticated attack surface nearly as broad as if no login were required at all.

  3. Alert-by-alert detection that couldn't see two attackers at once. Security monitoring that evaluates individual alerts in isolation will fail when two unrelated threat actors share an environment. Each stream appears incomplete; the signals contradict each other. Only correlated telemetry across identity, endpoint, and cloud layers can separate two parallel intrusion patterns before ransomware deploys.

What Should Have Stopped This

  • Patch prioritization that doesn't rely solely on release notes. Organizations subscribed to Microsoft's Security Update Guide directly, or using vulnerability management tools that pull from the National Vulnerability Database, would have seen CVE-2026-45659 even when it was missing from the release notes summary. Patch decisions should be driven by the authoritative source, not the summary.
  • Network segmentation that limits what a compromised SharePoint server can reach. If the SharePoint server cannot directly communicate with domain controllers, credential stores, or other organizations' networks, the attacker's ability to pivot is constrained even after initial access.
  • Privileged access controls that require additional verification for administrative actions. Creating domain administrator accounts or modifying Group Policy Objects should require more than standard credentials. Just-in-time access—time-limited elevated sessions requiring separate approval—would have slowed or blocked the persistence and ransomware deployment phases.
  • Correlated telemetry across identity, endpoint, and cloud. The dual-intrusion scenario was only resolved by combining data from multiple monitoring systems. Organizations that monitor these layers in isolation will see incomplete pictures. The two-attacker masking effect is not a theoretical edge case: it is what happened here.

The Takeaway

This incident is the same class of failure as the Stryker Intune wipe: a management tool (Group Policy) weaponized against the organization it was built to protect. This attack adds a layer the Stryker incident did not: two unrelated adversaries sharing an environment, each making the other harder to detect. The Axios supply chain attack created a telemetry blind spot by hiding malicious code inside trusted build infrastructure. Here, the blind spot came not from technical obfuscation but from the contradiction of signals generated by two simultaneous intrusion streams. The meta-pattern across all three: systems fail when defenders are forced to trust a boundary the attacker already controls.

The most important systemic lesson is that patch communication is itself a security control. When the process for telling administrators what to patch fails, the patch might as well not exist.

Pattern to remember: A single unpatched internet-facing server is not a single point of failure. It is an open door that multiple independent adversaries can walk through simultaneously, each compounding the other's impact and the defender's burden.

What changed: Two unrelated attackers sharing an environment can create a detection failure that neither would cause alone, because the contradiction between their activity streams makes it impossible to reconstruct a coherent kill chain from individual alerts.

Technical Deep Dive · 4 min

The Technical Mechanism

CVE-2026-45659 is a CWE-502 (Deserialization of Untrusted Data) vulnerability in on-premises Microsoft SharePoint Server. The SharePoint worker process (w3wp.exe) improperly deserializes attacker-controlled data submitted via authenticated HTTP requests. An attacker with Site Member permissions (the default contributor role, SPBasePermissions.ViewListItems and above) can craft a serialized payload using .NET's BinaryFormatter or compatible serialization gadget chains and submit it to a vulnerable SharePoint endpoint. When the server deserializes the payload, the embedded gadget chain executes arbitrary code in the context of the w3wp.exe process, which runs under the SharePoint application pool identity.

The attack does not require administrator privileges, user interaction, or prior knowledge of the target system's configuration. Microsoft rated the CVSS 3.1 vector as AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, yielding a base score of 8.8. The Low attack complexity rating reflects that the payload achieves repeatable success without environmental fingerprinting or timing dependencies.

In the Storm-2603 campaign, initial network access was assessed by Microsoft DART as likely achieved through CVE-2025-11371 (CVSS 9.1) in Gladinet Triofox, based on observed reconnaissance requests for win.ini and web.config files consistent with local file inclusion probing. Post-access, the attacker's toolkit included:

  • Velociraptor deployed with SYSTEM privileges for environment mapping
  • Cloudflare Tunnel, Zoho Assist, and Visual Studio Code Remote SSH for redundant C2 channels
  • NSecKrnl.sys loaded via BYOVD to disable endpoint detection and response (EDR) controls
  • Mimikatz and LSASS memory scraping for credential harvesting
  • PsExec, Impacket, and WMI for lateral movement
  • Group Policy Object modification for domain-wide Warlock ransomware deployment
  • AK47 C2, a custom multi-protocol command-and-control framework communicating over DNS and HTTP

The second unattributed actor used DLL sideloading, custom backdoors, and VPN access through virtual private server infrastructure, and attempted access to Active Directory credential databases (NTDS.dit).

CVE-2026-45659 EXPLOITATION PATH🔐1Authenticated HTTP requestSite Member credentials, no elevation needed📦2Malicious serialized payload submittedBinaryFormatter gadget chain embedded⚙️3w3wp.exe deserializes payloadNo input validation on attacker data💻4Arbitrary code executesIn context of SharePoint app pool identityThe entire exploit chain requires only a valid company login and a crafted HTTP request.

CVE and Advisories

  • CVE-2026-45659: Microsoft SharePoint Server Deserialization of Untrusted Data RCE. CVSS 3.1 base score 8.8. Fixed in May 2026 security updates.
  • CVE-2025-11371: Gladinet Triofox critical vulnerability (CVSS 9.1), assessed as likely initial access vector in the DART-investigated incident.
  • MSRC Advisory for CVE-2026-45659: Microsoft Security Response Center advisory, originally published May 21, 2026, updated May 26-27 to correct release notes omission.
  • CISA KEV entry for CVE-2026-45659: Added July 1, 2026. Remediation deadline July 4, 2026 under Binding Operational Directive (BOD) 26-04.
  • Canadian Centre for Cyber Security Advisory AL26-015: Confirms active exploitation awareness and recommends immediate patching of internet-exposed SharePoint instances.

Fixed build numbers:

  • SharePoint Server Subscription Edition: 16.0.19725.20280
  • SharePoint Server 2019: 16.0.10417.20128
  • SharePoint Enterprise Server 2016: 16.0.5552.1002

MITRE ATT&CK Mapping

Technique IDATT&CK nameHow it appeared
T1190Exploit Public-Facing ApplicationCVE-2026-45659 exploited on internet-facing SharePoint Server instances for initial code execution.
T1059Command and Scripting InterpreterArbitrary commands executed via deserialization gadget chain in w3wp.exe context.
T1078Valid AccountsSite Member credentials used to authenticate the exploit request; new administrator accounts created post-compromise.
T1547Boot or Logon Autostart ExecutionPersistence mechanisms established via unauthorized administrator account creation and remote access tooling.
T1572Protocol TunnelingCloudflare Tunnel used to establish covert C2 channel blending with legitimate traffic.
T1562Impair DefensesNSecKrnl.sys loaded via BYOVD technique to disable EDR controls before lateral movement.
T1003OS Credential DumpingMimikatz and LSASS memory scraping used to harvest domain credentials.
T1570Lateral Tool TransferPsExec, Impacket, and WMI used for lateral movement across the domain.
T1484Domain Policy ModificationGroup Policy Objects modified to distribute Warlock ransomware domain-wide.
T1486Data Encrypted for ImpactWarlock ransomware deployed via GPO, encrypting files across all domain-joined machines.
T1574Hijack Execution FlowSecond actor used DLL sideloading to load malicious code through legitimate application processes.

Indicators of Compromise

Microsoft DART's published report does not include a comprehensive list of file hashes, IP addresses, or domain indicators for operational security reasons. The following behavioral indicators are documented:

  • Presence of Velociraptor agent running under SYSTEM context on non-forensic workstations
  • Outbound connections to Cloudflare Tunnel infrastructure from SharePoint or domain controller hosts
  • NSecKrnl.sys present in driver directories
  • Unauthorized local or domain administrator accounts created outside change management processes
  • GPO modifications not initiated through standard IT change processes
  • Mimikatz artifacts or LSASS memory access from non-security tooling processes
  • Inbound reconnaissance requests for win.ini or web.config on SharePoint or Triofox endpoints

Unit 42's Project AK47 report (September 2025) contains additional host- and network-based indicators for the AK47 C2 framework and associated DLL sideloading loaders associated with the CL-CRI-1040 cluster.

Detection of the dual-intrusion scenario required correlating identity, endpoint, and cloud telemetry simultaneously. Alert-by-alert analysis of either intrusion stream in isolation produced incomplete and contradictory timelines.

Attribution

One intrusion stream is attributed to Storm-2603 (Microsoft designation), also tracked as CL-CRI-1040 by Palo Alto Networks Unit 42. Halcyon's technical analysis links Storm-2603, CL-CRI-1040, and the Warlock ransomware operation as the same group, based on shared Tox IDs, ransom note contact addresses, and overlapping development infrastructure. The group was formerly identified as a LockBit 3.0 affiliate and operates a double-extortion data leak site under the Warlock name. Storm-2603 deploys a custom C2 framework called AK47 C2, supporting multi-protocol communications over DNS and HTTP.

Check Point Research assessed Storm-2603 as likely financially motivated but noted the possibility of dual espionage and financial motivations, consistent with the group's co-occurrence alongside confirmed Chinese state-backed APTs Linen Typhoon (APT27) and Violet Typhoon (APT31). Microsoft stated it is "currently unable to confidently assess the threat actor's objectives." Halcyon noted the group's early access to ToolShell zero-days and proximity to Beijing's larger ToolShell campaign as indicators of potential nation-state alignment.

The second threat actor identified in the DART dual-intrusion investigation remains unattributed. China has denied all allegations of involvement in SharePoint exploitation campaigns.


Primary Sources