Is Your SharePoint Secure? Your Urgent Checklist After the Storm-2603 Breaches

What if your organization’s collaboration backbone has been quietly compromised? What if while your teams shared documents, managed projects, and built business relationships through SharePoint, unknown actors were silently copying everything?

This isn’t speculation. Since July 18, 2025, Storm-2603 and associated Chinese threat groups have attacked over 300 organizations worldwide. They didn’t need sophisticated zero-day exploits. They walked through vulnerabilities that organizations thought were already patched.

“The unsettling part? These attackers succeeded against government agencies, Fortune 500 companies, and organizations with dedicated security teams.”

What would happen to your SharePoint deployment if they were able to breach these highly secured environments?

Key Takeaways

• ☑️Storm-2603, a Chinese threat group, compromised over 300 organizations worldwide in just days by exploiting SharePoint vulnerabilities that companies thought were already patched.
  
• ☑️The attacks targeted government agencies, Fortune 500 companies, and well-defended organizations, proving that traditional security measures are insufficient against nation-state actors.

• ☑️These vulnerabilities only affect on-premises SharePoint servers—SharePoint Online in Microsoft 365 was completely unaffected by the campaign.
  
• ☑️Organizations must immediately implement the 10-point security checklist to protect existing on-premises SharePoint deployments from similar attacks.
  
• ☑️The fundamental security challenges of on-premises SharePoint infrastructure make cloud migration a strategic necessity rather than a convenience upgrade.
  

How 300+ Organizations Fell in Days

In just the past few months, over 300 companies worldwide have fallen victim to the same SharePoint attack. What’s shocking isn’t just the number, it’s how quickly it happened. Most of these organizations went from fully operational to completely compromised in a matter of days.

The attackers behind this wave are Storm-2603, two coordinated teams that have been perfecting SharePoint attacks since 2012. Linen Typhoon targets government and defense companies for secrets. Violet Typhoon goes after former government workers, nonprofits, and research organizations across the US, Europe, and Asia.

Their success comes from a simple but deadly approach: they exploit two specific SharePoint security flaws, plant hidden files that look legitimate, and steal system passwords. Even when companies discover the breach and try to fix it, Storm-2603 has already created multiple backdoors. They used to just steal information, but now they also deploy ransomware, locking companies out of their own systems while demanding payment.

The way they keep access is what makes this especially risky. They use web shells, which are files that look like authentic SharePoint installations and have names like spinstall0.aspx.

These 300+ organizations fell because most IT teams don’t realize their SharePoint systems have these vulnerabilities. The gap between what companies think is secure and what actually is secure made this massive wave of attacks possible.

More Than Just Stolen Data: The True Cost of These Attacks

Although attack statistics are the main focus of headlines, the true impact on impacted organisations is far more profound:

✔️Trust Infrastructure Breakdown: Attackers gain access to more than just the current data when they retrieve SharePoint’s authentication keys. They have the ability to pretend to be administrators, create fake user identities, and keep access even after password changes.

“The fundamental trust that enables secure collaboration becomes compromised.”

✔️Supply Chain Amplification: Many of the targeted organisations are partners or suppliers to larger businesses. Vendors frequently obtain access to contracts and communications with large corporations when Storm-2603 compromises their SharePoint environment. The effects of the attack extend beyond the original victim.

✔️Regulatory Consequences: Companies in regulated industries have to deal with even more problems. Healthcare organisations need to think about HIPAA violations, financial services need to deal with compliance issues, and government contractors need to think about security clearance issues. The cost goes far beyond just fixing things.

✔️Operational Disruption: Storm-2603 doesn’t cause immediate problems like most ransomware does; instead, it causes damage that isn’t as obvious.

“Organisations need to assume that sensitive SharePoint content has been hacked, which means they need to do a lot of forensic work and talk to stakeholders.“

Industry-Wide Ripple Effects

The Storm-2603 campaign has had effects on more than just the organisations it directly targeted:

✔️Impact on the Government Sector: Several government agencies were hacked, which led to stricter security requirements for suppliers and mandatory evaluations for contractors. Some companies have had their contracts put on hold until security issues are fixed.

✔️Response from Financial Services: Many banks and other financial institutions found signs of compromise, which led to regulatory scrutiny and the need for thorough vendor risk assessments. Companies that have SharePoint on their own servers now have to do more due diligence.

✔️Healthcare Implications: Healthcare organisations could have broken HIPAA rules and had trouble working together on research. While they were doing forensic analysis of their SharePoint environments, a number of pharmaceutical companies stopped working together.

✔️Insurance Industry Changes: Cyber insurance companies now need specific SharePoint security assessments for policy renewals. Companies that have on-premises deployments have to pay higher premiums or may not be covered at all.

Why This Still Matters to Your Organization

After implementing the 10-point security checklist, you might feel more protected, and you are. But the Storm-2603 attacks revealed something deeper that every organization must understand: these sophisticated measures are your new baseline, not your destination.

“These attacks succeeded because they exploited the fundamental complexity of on-premises SharePoint deployments, not because organizations lacked security awareness.”

Even with all ten security controls in place, consider what remains at risk in your SharePoint environment: employee documents, customer contracts, financial records, strategic plans, and intellectual property. The Storm-2603 campaign demonstrated they could access all of this within hours of initial compromise, even against well-defended targets.

The Persistent Reality

The most unsettling truth is that many organizations implementing these controls are still discovering evidence of compromise months later. Your enhanced monitoring might reveal that your SharePoint system has been silently leaking data for longer than you realized, despite your security tools showing everything was fine.

“The question isn’t whether sophisticated attackers can breach your hardened on-premises SharePoint, it’s whether your enhanced detection capabilities will discover the breach before irreparable damage is done.”

The 10-Point SharePoint Security Checklist

1. Audit Your SharePoint Version and Security Baseline

Start by doing a thorough evaluation of your SharePoint infrastructure. Understanding your whole attack surface is more important than simply verifying version numbers. Keep track of each SharePoint server, web application, and service application that is operational in your setting.

Versions such as SharePoint Server 2016, 2019, and Subscription Edition are currently supported. Support status by itself, however, does not imply security. The configuration dependencies, update rollup requirements, and security baselines vary by version, which impacts your vulnerability posture.

To find possible security holes that go beyond patching, use the SharePoint Configuration Analyser. Check for misconfigured web apps, unsecured service accounts, and outdated authentication techniques that might offer more attack points.

Critical check: You are using unsupported software without security updates if you are using SharePoint Foundation 2013 or earlier. These systems are helpless against Storm-2603 attacks, not just susceptible to them.

2. Implement Comprehensive Security Updates with Verification

Installing Microsoft’s security updates for Storm-2603 vulnerabilities is not enough; they also need to be verified and validated. Although there are several steps involved in properly implementing the updates, they fix CVE-2025-53770 (SharePoint ToolShell Auth Bypass and RCE) and CVE-2025-53771 (SharePoint ToolShell Path Traversal).

Install the most recent cumulative update for SharePoint Server Subscription Edition and make sure the security fixes are included. Install the Language Pack KB5002753 and Security Update KB5002754 for SharePoint 2019. Language Pack KB5002759 and Security Update KB5002760 are required for SharePoint 2016.

After installation, restart the SharePoint Timer Service and run PSConfig.exe -cmd upgrade -inplace b2b -wait to ensure all components are properly updated. Verify the installation by checking the SharePoint Configuration Database version and confirming no upgrade failures in the logs.

Verifying that the patches have truly resolved the vulnerabilities is a step that most organisations overlook. Make sure that authentication bypass vectors have been appropriately closed and that the ToolPane endpoint is no longer responsive to exploit attempts by using vulnerability scanners.

3. Configure AMSI Integration for Deep Code Analysis

Antimalware Scan Interface (AMSI) integration in SharePoint provides runtime protection against malicious scripts, even on systems that haven’t been fully patched. This is critical for Storm-2603 defense because their attacks rely heavily on PowerShell execution and reflective code loading.

Configure AMSI in Full Mode through Central Administration or PowerShell. Full Mode scans all script content before execution, while Basic Mode only scans high-risk scenarios. Given the sophistication of these attacks, Full Mode is non-negotiable.

Use PowerShell to verify AMSI configuration across all servers:

powershell

Get-SPAntimalwareSettings | Select-Object ScanOnUpload, ScanOnDownload, AllowDownloadInfected, CleaningEnabled-set in code

The configuration should show scanning enabled for both upload and download, with cleaning enabled and infected downloads blocked. Test AMSI functionality by attempting to upload a test malware file—it should be immediately detected and blocked.

4. Deploy Advanced Endpoint Detection Across SharePoint Infrastructure

Installing Microsoft Defender for Endpoint on SharePoint servers is a must for identifying the post-exploitation actions that characterise Storm-2603 attacks. These actors employ fileless malware, reflective DLL loading, and living-off-the-land strategies that are overlooked by conventional antivirus software.

Set up Defender for Endpoint with improved detection rules tailored to SharePoint settings. Turn on web shell detection, IIS worker process behaviour analysis, and PowerShell logging and monitoring. Defender can detect this behaviour if it is set up correctly. The Storm-2603 campaign specifically targets w3wp.exe processes to run encoded PowerShell commands.

Establish unique detection guidelines for the particular indicators seen in Storm-2603 attacks:

• Check the TEMPLATELAYOUTS directories for files with the name spinstall*.aspx.
• Notification of PowerShell execution from IIS worker processes
• Use particular registry access patterns to identify attempts to extract machine keys.
• Monitor network links to established command and control systems.

5. Execute Machine Key Rotation with Cryptographic Verification

Rotating machine keys is a crucial cryptographic operation that renders any compromised session tokens or authentication methods that Storm-2603 actors may have extracted invalid. It’s not just a checkbox. Because ASP.NET machine keys offer continuous access even after initial vulnerabilities are fixed, they are the specific target of the attacks.

Execute machine key rotation using PowerShell with explicit verification:

powershell

Set-SPMachineKey -LocalDistributedCacheEnabled $true

Get-SPMachineKey | Format-List

After rotation, compare the key values before and after the operation to confirm that new keys have been generated. With the appropriate entropy and length specifications, the validation key and the decryption key should be entirely distinct.

Restart IIS across all SharePoint servers using iisreset /force to ensure all application pools pick up the new keys. Monitor the SharePoint ULS logs for any authentication failures that might indicate incomplete key rotation across the farm.

Critical timing: Perform machine key rotation immediately after applying security updates but before bringing systems back online. This ensures that any previously compromised authentication tokens become invalid.

6. Implement Advanced Threat Hunting for SharePoint-Specific Indicators

Storm-2603’s attack patterns leave specific forensic evidence that can be detected through targeted threat hunting. Their methodology involves precise file placement, registry modifications, and network communication patterns that distinguish them from other threat actors.

Deploy hunting queries that look for the specific artifacts of Storm-2603 operations:

File system indicators:

☑️Web shells in C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\[15|16]\TEMPLATE\LAYOUTS\

☑️PowerShell logs showing base64-encoded commands executed by w3wp.exe processes

☑️Creation of debug_dev.js files containing configuration data

Registry and configuration indicators:

☑️Unauthorized modifications to SharePoint configuration databases

☑️Changes to machine key values in web.config files

☑️New service principal names or authentication providers

Network behavior patterns:

☑️Outbound connections to infrastructure in IP ranges 131.226.2.6, 134.199.202.205, 104.238.159.149, 188.130.206.168

☑️DNS queries to ngrok-free.app subdomains

☑️HTTP POST requests to /ToolPane endpoints with suspicious payloads

Use Microsoft Defender XDR hunting queries specifically designed for these indicators, or implement equivalent detection logic in your SIEM platform.

7. Architect Network Segmentation for SharePoint Isolation

Storm-2603 attacks start from internet-facing SharePoint servers and spread laterally through reliable network connections, which is why traditional network perimeters have not been able to withstand them. Set up zero-trust segmentation, which considers SharePoint servers to be potentially compromised right away.

Establish stringent ingress and egress filtering on network segments specifically designated for SharePoint infrastructure. SQL Server databases, domain controllers for authentication, and designated management workstations are the only services that SharePoint servers should be able to communicate with. All other lateral movement pathways should be blocked.

Set up application-layer firewalls with the ability to examine protocols unique to SharePoint. Unauthorised PowerShell remoting attempts, suspicious Central Administration access patterns, and odd CSOM (Client-Side Object Model) operations should all be kept an eye out for.

Use tools for network detection and response that are aware of the traffic patterns in SharePoint. Communication flows in normal SharePoint operations are predictable; deviations frequently signify the advancement of a compromise or attack.

8. Establish Comprehensive Monitoring for Post-Exploitation Activities

Comprehensive monitoring can identify the predictable patterns in Storm-2603’s post-exploitation activities. Their activities are centred on data exfiltration, lateral movement, and credential harvesting, all of which produce observable artefacts.

Implement monitoring for:

Credential access patterns:

• LSASS memory access from SharePoint processes
• Kerberos ticket requests with unusual service principal names
• NTLM authentication failures followed by successful logins
• PowerShell execution of credential-dumping tools

Data access anomalies:

• Large-scale document downloads from SharePoint content databases
• Unusual SQL queries against SharePoint configuration databases
• Access to SharePoint service account credentials in registry or configuration files
• Backup file access or unauthorized database exports

Command and control communication:

• DNS queries to recently registered domains
• HTTP/HTTPS traffic to non-business IP addresses
• Use of tunneling protocols like ngrok or similar services
• Encrypted communication channels established from SharePoint servers

Configure alerting thresholds that account for normal SharePoint operations while detecting malicious activities. SharePoint generates significant legitimate traffic, so alerts must be tuned to avoid false positives while maintaining sensitivity to actual threats.

9. Develop Forensic-Ready Incident Response Procedures

Storm-2603 attacks require incident response procedures that account for the specific tactics, techniques, and procedures these actors employ. Traditional incident response often focuses on malware removal and system restoration, but nation-state actors like Storm-2603 establish deep persistence that requires forensic-level remediation.

Create response procedures that address:

Immediate containment:

• Network isolation that preserves forensic evidence while stopping lateral movement
• PowerShell execution policy changes to prevent further script-based attacks
• IIS application pool isolation to contain web shell activities
• Database connection restrictions to prevent data exfiltration

Forensic evidence preservation:

• Memory dumps from SharePoint servers before any remediation activities
• IIS logs, SharePoint ULS logs, and Windows Event logs from the attack timeframe
• Network traffic captures showing command and control communication
• File system snapshots that preserve web shell artifacts and modified configurations

Recovery validation:

• Cryptographic verification that machine keys have been properly rotated
• Database integrity checks to ensure no unauthorized schema modifications
• Configuration validation to confirm no backdoor administrative accounts
• Network traffic analysis to verify no ongoing command and control communication

The recovery process must assume that any credentials accessed by SharePoint service accounts have been compromised. This includes domain service accounts, SQL Server authentication, and any stored credentials in SharePoint configuration databases.

10. Implement Continuous Security Assessment and Hardening

The fact that Storm-2603 was successful against patched systems shows that security is a continuous process that needs to be evaluated and improved. Your security posture must change as these actors modify their tactics to get around new defences.

Establish regular security assessments that go beyond vulnerability scanning:

Configuration drift monitoring:

• Automated detection of unauthorized changes to SharePoint farm configurations
• Monitoring for new web applications, service applications, or site collections
• Tracking changes to authentication providers, trusted identity token issuers
• Validation that security hardening measures remain in place

Threat modeling updates:

• Regular reassessment of SharePoint attack surfaces as new features are deployed
• Evaluation of third-party SharePoint solutions and their security implications
• Analysis of new threat intelligence related to SharePoint-targeting threat actors
• Testing of incident response procedures against evolved attack scenarios

Proactive threat hunting:

• Regular searches for indicators of compromise that might have been missed
• Behavioral analysis to identify unusual SharePoint usage patterns
• Correlation of SharePoint security events with broader enterprise security monitoring
• Validation that security controls are effectively preventing and detecting attacks

The key insight from Storm-2603 is that these actors operate with patience and persistence. They establish footholds and wait for opportunities to expand access. Your security program must match their persistence with continuous vigilance and improvement.

Why These Attacks Change Everything

The Storm-2603 attacks aren’t just another security incident; they’re a wake-up call for how we protect our digital workplaces. Hundreds of organizations, from government agencies to large companies, found their on-premises SharePoint systems secretly breached for weeks or even months.

This has deeply shaken IT leaders. Even those who followed best practices, invested in tools, and patched regularly were hit. It’s creating “defense fatigue”, a stark realization that traditional security might not be enough against well-funded nation-state attackers who have endless time and resources.

Beyond the Breach: The Deeper Impact

☑️Broken Trust: These attacks stole crucial ASP.NET machine keys, which are like master keys for your SharePoint’s identity system. This means attackers could forge credentials and maintain access, undermining the very foundation of your system’s trust.

☑️Supply Chain Risk: If a supplier’s SharePoint is compromised, your organization could be exposed too. Contracts, communications, and shared documents become vulnerable, creating a ripple effect across business partnerships.

☑️Regulatory Fallout: Industries like finance, healthcare, and defense now face intense scrutiny. A SharePoint breach can trigger serious compliance violations (HIPAA, SOX, FISMA) and major legal headaches.

Why Moving to the Cloud Isn’t Optional Anymore

The harsh truth from Storm-2603 is simple: these vulnerabilities only affect on-premises SharePoint servers. SharePoint Online in Microsoft 365 is safe. This isn’t just a marketing point; it’s a critical architectural difference that can mean life or death for your business continuity.

☑️Shrinking Your Attack Surface: On-premises SharePoint creates countless entry points for attackers. Moving to the cloud dramatically shrinks this “attack surface” because Microsoft manages the core infrastructure security.

☑️Balancing the Scales: On-premises, your IT team is up against nation-state attackers with unlimited budgets. In the cloud, Microsoft’s global security team handles threat detection and response at a scale no single organization can match. When a vulnerability is found, patches are applied automatically across SharePoint Online.

☑️Built-in Compliance: Meeting complex regulations (GDPR, HIPAA, SOX) is far easier with cloud platforms that offer built-in compliance controls, audit trails, and governance capabilities.

Final Thoughts: The Road Ahead

The Storm-2603 campaign is more than just another cyber incident; it’s a stark reminder that the landscape of digital threats has fundamentally changed. Your on-premises SharePoint environment, regardless of past investments or diligent patching, faces a new level of sophisticated, persistent risk. The choice before every organization is clear: implement the urgent, proactive security measures detailed in this checklist, or begin the strategic shift to cloud-based solutions like SharePoint Online, which offer inherent architectural resilience against these evolving threats. Ignoring this new reality is no longer an option. The time for decisive action to protect your collaboration infrastructure, your data, and your organization’s future, is now.

“At Aufait Technologies, we’ve guided organizations through security-focused Microsoft 365 migrations. We’ve seen how cloud platforms eliminate entire categories of vulnerabilities while providing better collaboration capabilities.”

Our approach addresses the core issues that make on-premises deployments vulnerable:

• ✔️Security-by-design architecture with conditional access and zero-trust principles that eliminate network-based attacks.
• ✔️Automated security management where cloud platforms handle updates, threat detection, and response at scale.
• ✔️Advanced threat protection with capabilities that would cost hundreds of thousands to implement on-premises.
• ✔️Future-proof security where platforms evolve automatically to address emerging threats.

“The organizations that migrate to Microsoft 365 aren’t just avoiding Storm-2603 attacks, they’re building more resilient collaboration environments for the future.”

Don’t wait for your organization to become the next victim. Contact Aufait Technologies today to discuss how our Microsoft 365 modernization services can eliminate SharePoint vulnerabilities while building a more secure digital workplace.

The threats are real, the timeline is now. Schedule your security assessment and modernization consultation today.

Frequently Asked Questions (FAQ)