Microsoft: 2 ransomware groups hit SharePoint in parallel attacks
A Microsoft investigation into a ransomware case found that 2 different attackers operated simultaneously, demonstrating that modern attacks are not always isolated events and require different responses. The activity was linked to on-premises SharePoint servers that were targeted through known vulnerabilities.
-
Microsoft found that two separate threat actors were operating inside the same compromised environment at the same time, complicating detection and incident response.
-
The attacks were linked to vulnerable on-premises SharePoint servers, with ransomware group Storm-2603 exploiting publicly disclosed security flaws.
-
A second, unrelated attacker was also active in the network, using techniques such as DLL sideloading to maintain persistence and evade detection.
-
Microsoft says the case highlights a growing trend of overlapping cyber campaigns and is urging organizations to prioritize patching, identity security, endpoint protection, and coordinated monitoring across cloud and on-premises environments.
In a Microsoft Incident Response (DART) report, the company said its security researchers found a multi-stage intrusion that blended known ransomware tactics with other techniques to establish deep, lasting access.
After the initial investigation pointed to lateral movement beyond the initial environment into a second organization, the researchers contacted the entity, which confirmed that it had been compromised by the same ransomware activity as the first company, attributed to Storm-2603.
Further investigation, in collaboration with Microsoft Threat Intelligence, revealed that this illicit activity was carried out by a second, unrelated threat actor operating in parallel.
"Two distinct threat activity streams were operating in parallel, rather than sequentially, making them difficult to detect in isolation," the researchers said, adding that only by correlating identity, endpoint, and cloud telemetry did the full scope of the attack become clear.
The company found that Storm-2603 had been targeting on-premises SharePoint servers since mid-2025, exploiting publicly disclosed vulnerabilities. Meanwhile, the second criminal actor left signs of Dynamic Link Library (DLL) sideloading, which can be used to hide behind trusted software and execute payloads, install backdoors, or maintain persistence.
The report didn't specify the losses that the attackers might have caused.
"This case highlights a growing reality: modern attacks are not always isolated events. Sometimes they are overlapping campaigns that demand coordinated visibility and response," Microsoft said, suggesting multiple measures customers can take to strengthen their defenses.
For example, the company emphasized the importance of prioritizing the timely patching of internet-facing systems and known exploitable vulnerabilities, treating high-privilege identities as a primary attack surface, ensuring endpoint protection solutions are deployed across the environment before an incident occurs, and avoiding gaps caused by point-in-time tool deployment, among other measures.
Unlock more exclusive Cybernews content on YouTube.
