Analysis Summary

Microsoft has issued a global warning to organizations about an escalating wave of sophisticated cyberattacks targeting on-premises Microsoft Exchange Server and SharePoint Server. These attacks exploit critical vulnerabilities that provide threat actors with persistent and privileged access to internal networks. Once inside, attackers can execute remote code, move laterally across systems, and exfiltrate sensitive data. The increased targeting is driven by the rich data stored on these platforms, making them high-value targets for cybercriminals.

A significant development in these campaigns is the growing use of NTLM relay and credential leakage attacks. Adversaries exploit flaws in the NTLM authentication protocol to capture and relay stolen credentials—especially from privileged accounts—to gain unauthorized access. By leveraging these vulnerabilities, attackers can impersonate legitimate users and escalate privileges, enabling deeper infiltration and sustained access to corporate environments.

In the case of SharePoint Server, attackers are employing stealthier techniques to maintain access without detection. These include modifying existing web pages to include malicious web shell code and deploying remote monitoring and management (RMM) tools. Such actions allow cybercriminals to operate covertly, bypassing traditional security tools and maintaining persistence for extended periods. This shift highlights an evolution in threat actor tactics, moving from overt exploitation to silent, embedded operations.

To defend against these threats, Microsoft has enhanced Exchange and SharePoint security with the integration of the Antimalware Scan Interface (AMSI). Operating within the IIS pipeline, AMSI inspects HTTP requests in real time, blocking malicious traffic and issuing HTTP 400 errors before it reaches the server application. This helps stop exploits—especially zero-days—before patches are even available. Microsoft advises all organizations to urgently apply security updates, enable AMSI, audit NTLM configurations, and monitor systems for unusual activity. A multi-layered, proactive security approach is now essential to defend against these increasingly advanced attacks.

Impact

• Exfiltrate Sensitive Data
• Remote Code Execution
• Privilege Escalation

Remediation

• Ensure all on-premises Exchange and SharePoint servers are updated with the latest security patches without delay to close known vulnerabilities.
• Activate the Antimalware Scan Interface (AMSI) within Exchange and SharePoint to inspect and block malicious HTTP requests before they reach the application layer.
• Confirm that AMSI-compatible antimalware software is running to enhance real-time threat detection and prevention.
• Review NTLM usage across the environment and identify where it can be restricted or replaced with more secure protocols.
• Strengthen NTLM security by enabling EPA, which mitigates credential relay attacks by binding authentication to TLS sessions.
• Continuously watch for signs of compromise.
• Secure server environments by removing unnecessary services, restricting administrative access, and enforcing strong authentication policies.