{"id":3395,"date":"2025-04-19T10:05:21","date_gmt":"2025-04-19T10:05:21","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2025\/04\/19\/hackers-actively-exploiting-critical-exchange-sharepoint-server-vulnerabilities\/"},"modified":"2025-04-19T10:05:21","modified_gmt":"2025-04-19T10:05:21","slug":"hackers-actively-exploiting-critical-exchange-sharepoint-server-vulnerabilities","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2025\/04\/19\/hackers-actively-exploiting-critical-exchange-sharepoint-server-vulnerabilities\/","title":{"rendered":"Hackers Actively Exploiting Critical Exchange &amp; SharePoint Server Vulnerabilities"},"content":{"rendered":"\n<div>Hackers Actively Exploiting Critical Exchange &#038; SharePoint Server Vulnerabilities<\/div>\n<p> \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Microsoft has warned organizations worldwide that threat actors are ramping up their exploitation of critical vulnerabilities in on-premises Exchange Server and SharePoint Server.<\/p>\n<p>These attacks, observed in recent months, have enabled cybercriminals to gain persistent and privileged access to targeted environments, leading to remote code execution, lateral movement, and the exfiltration of sensitive data.<\/p>\n<p>While Exchange and SharePoint servers have long been attractive targets due to the sensitive data they store, attackers are now deploying increasingly sophisticated techniques.<\/p>\n<h2 class=\"wp-block-heading\">\n<strong>NTLM Relay and Stealthy Persistence<\/strong> <strong>Techniques<\/strong><br \/>\n<\/h2>\n<p>A notable shift has been the rise of NTLM relay and credential leakage attacks against <a href=\"https:\/\/cybersecuritynews.com\/exchange-server-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\">Exchange Server<\/a>. In these scenarios, attackers exploit weaknesses in the NTLM authentication protocol by relaying stolen credentials to vulnerable servers, potentially compromising user accounts and enabling further malicious activity.<\/p>\n<figure class=\"wp-block-embed is-type-rich is-provider-twitter wp-block-embed-twitter\">\n<div class=\"wp-block-embed__wrapper\">\n<blockquote class=\"twitter-tweet\" data-width=\"550\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Threat actors have consistently exploited critical vulnerabilities in Exchange Server and SharePoint Server that enable them to gain a persistent foothold inside the target. Such attacks have been observed to lead to remote code execution, lateral movement, and exfiltration of\u2026<\/p>\n<p>\u2014 Microsoft Threat Intelligence (@MsftSecIntel) <a href=\"https:\/\/twitter.com\/MsftSecIntel\/status\/1913268790504161725?ref_src=twsrc%5Etfw\">April 18, 2025<\/a>\n<\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script>\n<\/div>\n<\/figure>\n<p>Recent campaigns have leveraged vulnerabilities that allow attackers to capture and relay NTLM hashes, often targeting privileged accounts for maximum impact.<\/p>\n<p>SharePoint Server attacks have also become more covert. Threat actors have been observed modifying legitimate files, such as appending web shell code to existing pages and deploying <a href=\"https:\/\/cybersecuritynews.com\/remote-administration-tools\/\" target=\"_blank\" rel=\"noreferrer noopener\">remote monitoring and management (RMM) tools<\/a>.<\/p>\n<p>These tactics enable persistent, stealthy access that is difficult to detect using traditional security measures.<\/p>\n<h2 class=\"wp-block-heading\"><strong>AMSI Integration Raises the Bar<\/strong><\/h2>\n<p>To counter these threats, Microsoft has integrated the Windows Antimalware Scan Interface (AMSI) into both Exchange and SharePoint Server. AMSI acts as a security filter within the IIS pipeline, inspecting incoming HTTP requests, including request bodies for malicious content, before they reach the application layer.<\/p>\n<p>When a threat is detected, AMSI blocks the request in real-time, returning an HTTP 400 Bad Request response and preventing exploitation before official patches can be applied.<\/p>\n<p>This proactive defense is especially critical for <a href=\"https:\/\/cybersecuritynews.com\/tag\/zero-day\/\" target=\"_blank\" rel=\"noreferrer noopener\">zero-day<\/a> vulnerabilities, where attackers often strike before organizations have a chance to update their systems.<\/p>\n<p>AMSI\u2019s integration ensures that malicious attempts such as SSRF, web shell deployment, and credential theft are detected and blocked, with incidents surfaced to Microsoft Defender for further investigation and remediation.<\/p>\n<p>Microsoft strongly urges organizations running on-premises Exchange or SharePoint servers to:<\/p>\n<ul class=\"wp-block-list\">\n<li>Apply the latest security patches and updates without delay.<\/li>\n<li>Enable AMSI integration and ensure compatible antimalware solutions are active.<\/li>\n<li>Audit and harden NTLM authentication configurations, enabling Extended Protection for <a href=\"https:\/\/cybersecuritynews.com\/authentication\/\" target=\"_blank\" rel=\"noreferrer noopener\">Authentication<\/a> (EPA) where possible.<\/li>\n<li>Monitor for suspicious activity, such as abnormal HTTP requests or unauthorized mailbox access.<\/li>\n<\/ul>\n<p>As attackers continue to innovate, layered defenses and rapid response remain essential to protecting critical business assets from compromise.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 92%,rgb(169,184,195) 100%)\"><strong><code>Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-&gt;\u00a0<a href=\"https:\/\/any.run\/cybersecurity-blog\/malware-trends-q1-2025\/?utm_source=cyber-threat-intel_linkedin&amp;utm_medium=post&amp;utm_campaign=q1&amp;utm_content=blog&amp;utm_term=150425\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Get Your Free Copy<\/a><\/code><\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/exchange-sharepoint-server-vulnerabilities\/\">Hackers Actively Exploiting Critical Exchange &amp; SharePoint Server Vulnerabilities<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/exchange-sharepoint-server-vulnerabilities\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hackers Actively Exploiting Critical Exchange &#038; SharePoint Server Vulnerabilities Microsoft has warned organizations worldwide that threat actors are ramping up their exploitation of critical vulnerabilities in on-premises Exchange Server and SharePoint Server. These attacks, observed in recent months, have enabled cybercriminals to gain persistent and privileged access to targeted environments, leading to remote code execution, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63],"tags":[130],"class_list":["post-3395","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/3395"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=3395"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/3395\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=3395"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=3395"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=3395"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}