Skip to content

Two Ransomware Groups Attack Local SharePoint Servers Simultaneously

The Bottom Line: The parallel activity of two independent ransomware groups on the same SharePoint servers demonstrates that attackers are increasingly conducting overlapping campaigns, requiring centralized visibility across all layers.

Microsoft’s Incident Response Team (DART) has documented that two independent attackers compromised local SharePoint servers of the same organization in parallel. The attacks represent a new level of sophistication: overlapping campaigns significantly complicate detection.

In the investigation of a multi-stage infiltration, Microsoft’s DART found that two unrelated threat actors were simultaneously active in the same system environment. The first group, identified by Microsoft as Storm-2603, has been targeting local SharePoint servers since mid-2025, exploiting known, documented vulnerabilities for which patches are already available. In the analysis of a second affected organization, the same group was confirmed.

The second, unrelated attacker employed a different methodology: Security analysts identified traces of DLL sideloading. This technique abuses legitimate, trusted software components to inject malicious code execution or backdoors without triggering standard alarm systems. The parallel activity of both actors significantly complicated detection. Microsoft explains: “Two different threat activity streams operated in parallel and not sequentially, which complicated their detection in isolation.” Only the consolidation of identity, endpoint, and cloud telemetry data enabled the complete situational picture.

The findings demonstrate a shift in the threat landscape for SharePoint operators. Modern attacks are no longer isolated events but can be overlapping campaigns requiring coordinated visibility and response. The investigation report contains no information on specific data losses or damage amounts.

Microsoft recommends as immediate measures the prompt installation of security updates for all internet-connected systems. Additionally, it calls for enhanced monitoring of privileged user accounts, implementation of comprehensive endpoint protection solutions prior to incidents, and coordination of monitoring across cloud and local infrastructure.


Source: www.it-daily.net · Published 26 June 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.7.1.

Share on: