Microsoft confirmed on July 19, 2025, that cybercriminals and nation-state actors are actively exploiting a critical set of zero-day vulnerabilities dubbed “ToolShell” affecting on-premises SharePoint servers worldwide.
The attack campaign, which began on July 17, has prompted emergency security updates and represents one of the most significant enterprise security incidents of 2025.
Multiple Vulnerabilities Chain Together for Maximum Impact
ToolShell comprises two primary zero-day vulnerabilities: CVE-2025-53770, a remote code execution flaw, and CVE-2025-53771, a server spoofing vulnerability.
Threat actors are chaining these exploits with two previously patched vulnerabilities (CVE-2025-49704 and CVE-2025-49706) to create a devastating attack vector against SharePoint Server 2016, 2019, and Subscription Edition installations.
The sophistication of these attacks allows cybercriminals to bypass multi-factor authentication and single sign-on protections, gaining unauthorized access to restricted systems.
Once inside, attackers deploy malicious webshells, particularly a script named “spinstall0.aspx,” to extract sensitive information from compromised networks.
Microsoft has identified multiple webshell variants, including files named with the “ghostfile” prefix followed by numerical identifiers.
Global Exploitation Campaign Draws Diverse Threat Actors
Security researchers have documented attacks originating from at least 19 different IP addresses between July 17-22, with the United States accounting for 13.3% of observed exploitation attempts.
The geographic distribution spans multiple continents, indicating widespread opportunistic targeting by various threat groups.
Particularly concerning is the involvement of China-aligned Advanced Persistent Threat (APT) groups, including LuckyMouse, which typically targets government organizations, telecommunications companies, and international entities.
Microsoft’s threat intelligence team has confirmed that “several China-aligned threat actors have joined in on the exploitation attempts”, elevating the campaign from opportunistic cybercrime to potential state-sponsored espionage.
Emergency Response and Protection Measures
Microsoft has released comprehensive security updates for all affected SharePoint versions and strongly urges immediate installation.
The company recommends a multi-layered defense approach, including enabling the Antimalware Scan Interface (AMSI), deploying Microsoft Defender for Endpoint, and rotating SharePoint Server ASP.NET machine keys.
Critical detection capabilities have been implemented across Microsoft’s security ecosystem, with Defender Antivirus providing specific detections for “Exploit:Script/SuspSignoutReq.A” and “Trojan:Win32/HijackSharePointServer.A”.
Advanced hunting queries are available to help organizations identify potential compromises within their environments.
Given SharePoint’s deep integration with Microsoft 365 services, including Teams, OneDrive, and Outlook, successful exploitation can provide attackers with extensive network access, making immediate patching essential for organizational security.
