These attacks, observed in recent months, have enabled cybercriminals to gain persistent and privileged access to targeted environments, leading to remote code execution, lateral movement, and the exfiltration of sensitive data.
While Exchange and SharePoint servers have long been attractive targets due to the sensitive data they store, attackers are now deploying increasingly sophisticated techniques.
A notable shift has been the rise of NTLM relay and credential leakage attacks against Exchange Server. In these scenarios, attackers exploit weaknesses in the NTLM authentication protocol by relaying stolen credentials to vulnerable servers, potentially compromising user accounts and enabling further malicious activity.
Recent campaigns have leveraged vulnerabilities that allow attackers to capture and relay NTLM hashes, often targeting privileged accounts for maximum impact.
SharePoint Server attacks have also become more covert. Threat actors have been observed modifying legitimate files, such as appending web shell code to existing pages and deploying remote monitoring and management (RMM) tools.
These tactics enable persistent, stealthy access that is difficult to detect using traditional security measures.
To counter these threats, Microsoft has integrated the Windows Antimalware Scan Interface (AMSI) into both Exchange and SharePoint Server. AMSI acts as a security filter within the IIS pipeline, inspecting incoming HTTP requests, including request bodies for malicious content, before they reach the application layer.
When a threat is detected, AMSI blocks the request in real-time, returning an HTTP 400 Bad Request response and preventing exploitation before official patches can be applied.
This proactive defense is especially critical for zero-day vulnerabilities, where attackers often strike before organizations have a chance to update their systems.
AMSI’s integration ensures that malicious attempts such as SSRF, web shell deployment, and credential theft are detected and blocked, with incidents surfaced to Microsoft Defender for further investigation and remediation.
Microsoft strongly urges organizations running on-premises Exchange or SharePoint servers to:
As attackers continue to innovate, layered defenses and rapid response remain essential to protecting critical business assets from compromise.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
The post Hackers Actively Exploiting Critical Exchange & SharePoint Server Vulnerabilities appeared first on Cyber Security News.
A newly identified backdoor called A0Backdoor has emerged as part of a calculated social-engineering campaign…
Attackers can exploit insecure defaults and prompt injection vulnerabilities to turn normal agent behavior into…
A set of nine novel cross-tenant vulnerabilities in Google Looker Studio, collectively dubbed “LeakyLooker,” that…
Tennessee lawmakers decided in 2025 to move the vast majority of sports gambling revenue into…
The arrest of Nashville Noticias reporter Estefany Maria Rodríguez Florez on March 4 by ICE…
A combination of funding pressures have left many states struggling to figure out how to…
This website uses cookies.