Microsoft SharePoint Zero-Day Exploits Escalate to Ransomware Attacks, Affecting 400+ Organizations

A widespread ransomware campaign is exploiting previously unknown vulnerabilities in Microsoft SharePoint, with over 400 organizations already compromised according to security researchers. The attacks mark a dangerous escalation of what began as targeted exploits now turning into automated ransomware deployment.

The zero-day vulnerabilities, which Microsoft has now patched in emergency updates, allowed attackers to gain initial access to corporate networks through SharePoint servers. Once inside, threat actors move laterally to deploy ransomware across the network. Among the affected organizations is a US nuclear research agency, highlighting the critical nature of these attacks.

Microsoft's security team confirmed that multiple threat groups are actively weaponizing these SharePoint vulnerabilities. The attacks follow a familiar pattern: initial compromise through the web-facing SharePoint servers, privilege escalation, network reconnaissance, and finally ransomware deployment across as many systems as possible.

Technical analysis reveals the exploits target SharePoint's remote code execution capabilities. Attackers are combining these with authentication bypass techniques to gain administrative access without valid credentials. The ransomware payloads observed appear to be variants of known families, though modified to specifically target SharePoint-managed documents and databases.

Security teams should prioritize:

Microsoft has published detailed guidance on identifying compromise indicators, including specific HTTP request patterns and unexpected process creations. Organizations without dedicated security teams should consider engaging incident response professionals, as these attacks often leave backdoors even after ransomware deployment.