// Microsoft 365HIGH
Microsoft DART disclosed an active campaign by threat group Storm-2603 targeting unpatched on-premises SharePoint servers. The group exploits CVE-2025-49706, CVE-2025-49704, and CVE-2025-11371 to gain initial access, then deploys ransomware, establishes persistent backdoors via Cloudflare tunnels and Zoho Assist, and exfiltrates Active Directory credentials. A second unnamed actor was also present in parallel, using DLL sideloading to maintain access. Organizations are advised to prioritize patching SharePoint servers and implement strict identity controls.
// Get alerts for Microsoft 365