Confidential Telecom Provider
Microsoft SharePoint "ToolShell" Zero-Day: Case Study
In June 2025, attackers began exploiting a previously unknown vulnerability chain in Microsoft SharePoint Server. According to security researchers, over 235,000 internet-exposed SharePoint servers were potentially vulnerable. Firewalls permitted the malicious traffic. Intrusion Prevention Systems (IPS) had no signatures. Patches did not yet exist. Nothreat autonomously detected, classified, and blocked the attack - 40 days before Microsoft published the CVE and released emergency patches.
The Vulnerability: What Happened
The ToolShell Attack Chain
ToolShell was not a single vulnerability - it was an evolving chain of exploits that adapted as Microsoft released patches.
Attack chain progression:
- Initial chain: CVE-2025-49706 (spoofing) → CVE-2025-49704 (RCE) - allowed unauthenticated remote code execution on SharePoint Server.
- After Microsoft patched the initial chain, attackers developed bypass exploits:
- CVE-2025-53770 - bypass of the RCE fix, restoring unauthenticated code execution.
- CVE-2025-53771 - bypass of the spoofing fix, restoring the authentication bypass vector.
- Together, CVE-2025-53770 + CVE-2025-53771 reconstituted the full ToolShell attack chain - despite all original patches being applied.
Critical consequence: Even with all four patches applied, attackers who had already obtained cryptographic machine keys could still maintain persistence on compromised servers. Patching alone was not enough - key rotation was required, but most organizations were unaware of the compromise.
Impact & Scale
Why ToolShell Was a Critical Threat
Metric | Detail |
|---|---|
Vulnerable footprint | According to security researchers, over 235,000 internet-exposed SharePoint servers were potentially affected |
Confirmed exploitation | At least 400 organizations compromised across four attack waves, according to Eye Security |
Ease of exploitation | A single crafted POST request with forged headers was sufficient for unauthenticated remote code execution |
Time to exploitation | Attackers moved from reconnaissance to active exploitation in under 48 hours |
Persistence risk | Stolen cryptographic keys allowed attackers to maintain access even after patching |
What successful exploitation enabled:
- Remote code execution - webshell deployment (.aspx, .dll files) on SharePoint servers
- Exposure of file systems and internal configurations
- Theft of cryptographic machine keys for forging authentication tokens
- Lateral movement across internal networks from the compromised server
Why Traditional Security Failed
Firewalls and IPS Were Blind to ToolShell
Firewalls allowed malicious traffic by rule.
The attack arrived as standard HTTP/HTTPS requests on ports 80/443 - traffic that matched existing firewall policies. No rule existed to distinguish the exploit from legitimate SharePoint traffic.
Intrusion Prevention Systems had no signatures.
There were no known signatures for this attack at the time. Detection rules had not yet been developed, and creating effective signatures typically takes several days after a threat is discovered. Between June 5 and July 19, IPS was completely blind to ToolShell.
Patching could not undo the damage.
Organizations that were compromised before the patch could not simply patch their way out. Attackers who had stolen cryptographic keys retained persistent access regardless of patch status.
Timeline: The 40-Day Window
How the Attack Unfolded vs. When the Industry Responded
Date | Event | Who was protected |
|---|---|---|
June 5, 2025 | Nothreat sensors detect first reconnaissance activity. IP 43.254.***.*** (Thailand) begins probing SharePoint paths. System classifies as malicious. | ✅ Nothreat clients |
Within days | Second wave of attacks detected — more aggressive scripts, CDN masking (Cloudflare/Akamai headers) | ✅ Nothreat clients |
June 20, 2025 | Mass exploitation begins in the wild | ✅ Nothreat clients — already protected |
July 17, 2025 | Initial public reconnaissance observed by Unit 42 (06:58–08:40 UTC). Active exploitation through July 22. | ❌ Most organizations unprotected |
July 18, 2025 | First formal public reporting by Eye Security and others | ❌ Still no patches available |
July 19–21, 2025 | Microsoft releases emergency out-of-band patches for supported versions (Subscription Edition, 2019, 2016) | ⚠️ Patching begins — but compromised keys still allow persistence |
July 20, 2025 | CISA adds CVE-2025-53770 to Known Exploited Vulnerabilities (KEV) catalog | ⚠️ Awareness spreads — 40 days after Nothreat's first detection |
The gap: 40 days between Nothreat's first detection (June 5) and CVE publication (mid-July). During this window, organizations relying on signatures, patches, or CVE-based alerting had no defense.
How Nothreat Stopped ToolShell
Step 1: Deceive — CyberEcho captured the attack in isolation
Step 2: Detect — Micro-behavioral AI classified the threat without signatures
Step 3: Neutralize — ThreatShield enforced blocking across all clients
Step 4: Crowd Immunity — All Nothreat clients were protected simultaneously
Result: Nothreat clients were protected throughout the entire 40-day window. The platform autonomously blocked all ToolShell exploitation attempts without any patching, signature updates, or human intervention.
Attacker Profiling
What CyberEcho Revealed About the Adversaries
CyberEcho's isolated deception environment captured detailed forensic intelligence about the attackers, revealing distinct operational groups:
Group 1: "The Scout" — Low-and-slow reconnaissance
- Date: June 5, 2025
- Origin: Thailand
- Tooling: Chrome/87 on Windows — mimicking a legitimate user
- Behavior: Careful enumeration of SharePoint admin paths, targeting old version paths (2010/2013). Low request rate to avoid detection.
- Objective: Mapping the attack surface before deploying the exploit.
Group 2: "The Scripted Scanner" — Automated exploitation
- Origin: Los Angeles, USA
- Tooling: Python script (python-urllib3/1.26.14)
- Behavior: Aggressive, high-speed requests using pre-built wordlists to test SharePoint authentication endpoints.
- Evasion technique: Forged X-Forwarded-For headers to masquerade as traffic from legitimate CDNs (Akamai, Cloudflare, Azure Front Door). Nothreat identified the discrepancy between the real source IP and the claimed CDN origin.
Key Takeaways
What This Case Proves
1. Signature-based security cannot protect against zero-day attacks.
For 40+ days, every IPS and signature-based detection system was blind to ToolShell. Organizations relying on these tools had no defense during the most critical window.
2. Patching is necessary but not sufficient.
Even after all four patches were applied, attackers who had already stolen cryptographic keys retained persistent access. The attack required both patching and manual key rotation - a step most organizations missed.
3. Preemptive, behavior-based detection closes the zero-day window.
Nothreat detected the ToolShell exploit on June 5 - the same day the first reconnaissance began, using behavioral analysis and deception technology. No prior knowledge of the vulnerability was required.
4. Autonomous response eliminates human delay.
The platform classified, validated, and distributed blocking rules without human intervention. In a scenario where hours matter, the response was measured in seconds.
5. Crowd Immunity protects the entire customer base.
Intelligence from one client's CyberEcho trap was used to protect all Nothreat clients simultaneously. The attacker's tactics, captured once, were blocked everywhere.
Summary Box
At a Glance
Parameter | Detail |
|---|---|
Vulnerability | Microsoft SharePoint Server — ToolShell (CVE-2025-53770 + CVE-2025-53771) |
Attack type | Unauthenticated Remote Code Execution via evolving exploit chain |
Vulnerable footprint | 235,000+ internet-exposed SharePoint servers |
Nothreat first detection | June 5, 2025 |
First public disclosure | July 18, 2025 (15 days after Nothreat detection) |
CVE published / Patch released | July 19–21, 2025 (40 days after Nothreat detection) |
Detection method | CyberEcho deception traps + micro-behavioral AI analysis |
Signatures required | None |
Human intervention required | None |
False positives | Zero |
Result | 100% of exploitation attempts blocked autonomously across all Nothreat clients |
Protect Your Organization Before the Next Zero-Day
ToolShell is one example. Nothreat has also autonomously blocked: - Windows Server Update Service (CVE-2025-59287) - prevented 1 day before the fix was published - Oracle (CVE-2025-61884) - prevented 5 days before CVE publication Zero-day attacks don't wait for signatures. Neither should your defense.