A major cyber attack has sent ripples through the tech world, exploiting a previously unknown vulnerability in Microsoft SharePoint.
We made a short video report of the incident with our cybersecurity expert Alex Wells-Linden. Based on the insights from the video, we bring you the article below—breaking down what’s happened, what it means for your business, what you need to do about it.
Attackers discovered and exploited a zero-day vulnerability in on-premises SharePoint servers. This has gone beyond a routine security alert—it’s turning out to be a critical situation impacting organisations globally, including government agencies. The attackers have targeted SharePoint’s machine keys to gain persistent access to affected systems.
SharePoint machine keys are essentially master digital keys that encrypt data and authenticate access across your SharePoint environment. When attackers steal these keys, they gain extraordinary power over your systems.
They can access your SharePoint site remotely, bypass security measures entirely, and decrypt sensitive information at will. But most concerning is their ability to maintain persistent access to your systems and impersonate the system itself, making detection and removal extremely difficult.
While cloud-based SharePoint services aren’t currently thought to be affected, on-premises installations are at risk.
Yes, it can. Microsoft has released an emergency patch that addresses this vulnerability, along with other defensive measures you can implement to protect your systems. We’ll detail what you need to do later in this article.
The good news is that this is no longer a zero-day situation—the vulnerability is now known and can be patched. However, the urgency remains because any systems that haven’t been updated are still at risk, and stolen machine keys continue to pose a threat even after patching.
We should be clear about the severity of this situation. For businesses running on-premises SharePoint servers, the risks are potentially severe, going far beyond simple data theft.
The immediate risks include direct theft of sensitive documents, employee data, and intellectual property. Your firm might face operational disruption to daily business activities, and the potential to be hit by ransomware using this as a distraction and access point. There’s also the very real threat of data extortion attempts if critical documents are compromised.
Looking at the longer term, these pose big risks to your business. You might face significant reputational damage and regulatory penalties for data breaches. You’ll need to run comprehensive incident response measures, and conduct ongoing threat hunting to make sure your systems are clean.
Time is of the essence. We recommend taking immediate action across several fronts.
Microsoft released an emergency patch on 21st July. If you haven’t already applied it, this should be your first priority. Apply all available security updates for on-premises SharePoint servers immediately, then verify the patches have been properly installed using external vulnerability scanners. Continue monitoring Microsoft advisories for any additional releases that may address related vulnerabilities.
The Antimalware Scan Interface (AMSI) is a component of Microsoft Defender that can detect this attack during the exploit process. We strongly recommend enabling it if you haven’t already. AMSI gives you an additional layer of protection by allowing security products to scan scripts and other content before execution. This provides crucial real-time protection against exploitation attempts.
This is really important—patching alone isn’t enough if your keys have been compromised. We suggest rotating all machine key material on potentially exposed SharePoint servers and restarting all related processes to ensure new keys are active. This step is essential to revoke any persistent access attackers may have gained through the stolen keys.
Increase the monitoring of your network for unusual activity, particularly from IIS worker processes. Make sure your incident response plan is up-to-date and ready to activate.
You might also want to consider engaging cybersecurity experts for a thorough compromise assessment, and keep your teams trained and vigilant against phishing and social engineering attempts, which often serve as initial entry points for broader attacks.
We recommend all businesses running on-premises SharePoint to treat this as a critical security incident, regardless of whether you’ve detected any compromise. The nature of zero-day attacks means that you may have been exposed without knowing it.
This incident is a strong reminder to take cyber security seriously. Stay informed, stay patched, and stay vigilant.
If you need help assessing your SharePoint security or implementing these recommendations, we’re just a message away. Get in touch with the Synextra team today.
