Your university and your business operations could face serious risks. The Microsoft SharePoint zero-day attack affected many institutions this past summer. Microsoft is urging administrators to take action and use the latest security updates.

This exploit is being used in mass attacks. At least 400 organizations have been confirmed to have been breached.

The Washington Post stated that the U.S. government and partners in Canada and Australia are investigating the hack of SharePoint servers.

The National Nuclear Security Administration and the Department of Homeland Security have been compromised. Many other institutions, including universities, may have also been breached.

What is SharePoint?

SharePoint is a private web based platform where you can store and share files, manage projects, collaborate on a document with your team, and build custom pages and dashboards.

SharePoint Server is installed on-premises in many organizations, such as government agencies, universities, hospitals, and various private companies.

What is a zero-day attack?

A zero-day attack is a cyberattack that exploits a previously unknown security vulnerability before the developer(s) and/or vendor(s) create a patch. The Canadian Cyber Centre is recommending that users and administrators apply any necessary updates to their servers. This information can be found at the following link:

https://www.cyber.gc.ca/en/alerts-advisories/microsoft-security-advisory-av25-433

Who is behind the attack?

Microsoft’s July 2025 blog post suggests that Linnen Typhoon and Violet Typhoon are two Chinese groups that are suspected of having exploited these vulnerabilities.

How does this exploit work?

According to Picus Security it is supposed that the groups followed these steps:

• The vulnerability allows an attacker to send a specially crafted HTTP POST request to this endpoint: /_layouts/15/ToolPane.aspx?DisplayMode=Edit

• The request includes a Referer header pointing to: /layouts/15/signout.aspx

• This bypasses authentication and allows an attacker to execute code remotely (RCE), craft payloads, and extract cryptographic secrets. It provides a persistent backdoor, facilitates theft of sensitive data, and allows the execution of ransomware.

• The attacker uploads a malicious .aspx file to the SharePoint layouts directory:

• C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\TEMPLATE\LAYOUTS\spinstall0.aspx

• The goal is to extract cryptographic secrets from the server configuration: ValidationKey, DecryptionKey, Signing algorithm .

• Once keys are stolen the attacker can maintain access even after a patch.

• ASP.NET uses __VIEWSTATE to rebuild the page with your previous inputs.

• ysoserial.net is a tool that exploits applications performing unsafe deserialization of objects. This allows us to embed system commands and to send another GET request to the SharePoint page:

• GET /_layouts/15/success.aspx?__VIEWSTATE=<malicious_payload>

• SharePoint accepts and deserializes it, the authorized token thanks to the stolen key, leading to the command execution:

• w3wp.exe → cmd.exe → powershell.exe -EncodedCommand

How to detect and mitigate potential attacks:

• Review SharePoint logs and endpoint or SIEM alerts by finding suspicious requests sent to /ToolPane.aspx.
• Check for unfamiliar .aspx files in the layouts directory.
• Look for unusual processes that launch command-lines.
• Look for known malicious IPs: 107.191.58.76, 104.238.159.149, and 96.9.125.147
• For further details, see https://www.sans.org/blog/critical-sharepoint-zero-day-exploited-what-you-need-to-know-about-cve-2025-53770

The following video explains how this exploit works:

Cryptographic Connections:

In order to keep the backdoor active, the attacker needs to have access to both the ValidationKey and the DecryptionKey. The DecryptionKey is symmetric, which means it is used both in encryption and decryption. This is used to protect user identity and session information from tampering or eavesdropping during transmission, which provides confidentiality. The ValidationKey ensures the integrity of the view state form data, it is used to generate and validate MAC (Message Authentication Codes).

In conclusion, this shows the importance of keeping keys secret and how the attacker will work around the encryption to have access to the safe-box.

Resources:

https://techcrunch.com/2025/07/23/hundreds-of-organizations-breached-by-sharepoint-mass-hacks/
https://krebsonsecurity.com/2025/07/microsoft-fix-targets-attacks-on-sharepoint-zero-day/#more-71737
https://blog.gitguardian.com/sharepoint-zero-day-highlight-hidden-secrets-risk/
https://www.sans.org/blog/critical-sharepoint-zero-day-exploited-what-you-need-to-know-about-cve-2025-53770
https://www.helpnetsecurity.com/2025/07/22/microsoft-pins-sharepoint-attacks-cve-2025-53770/
https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/
https://www.picussecurity.com/resource/blog/cve-2025-53770-critical-unauthenticated-rce-in-microsoft-sharepoint
https://www.cyber.gc.ca/en/alerts-advisories/microsoft-security-advisory-av25-433