The SharePoint Highway to Your Domain

Since July 18th, attackers have been systematically exploiting a SharePoint zero-day to breach organizations worldwide. They're not stopping at SharePoint, they're using it as a highway to everything else.

CVE-2025-53770 isn't just another patch. It's a masterclass in lateral movement.

SharePoint servers compromised. Domain controllers taken over. Entire networks dominated. All because one collaboration platform had too much trust.

Who's getting hit? Any organization running on-premises SharePoint with flat network architecture. If SharePoint can freely communicate across your data center, you're in this group.

What's Actually Happening

Exploitation without authentication -- Attackers gain remote code execution on SharePoint servers without needing credentials

Cryptographic key theft -- Malicious files steal SharePoint's machine keys, including ValidationKey and DecryptionKey

Lateral movement highways -- Stolen keys create valid payloads for accessing connected systems

Domain-level compromise -- SharePoint's integration with Outlook, Teams, and OneDrive provides pathways to domain controllers

Why Breaches Spread So Fast

SharePoint isn't designed as a fortress. It's designed for collaboration, which means integration, which means trust relationships everywhere.

Organizations discover their SharePoint servers have domain admin privileges. Collaboration platforms connect to financial systems. Document servers share network segments with critical infrastructure.

Each integration becomes an attack pathway when proper segmentation doesn't exist.

The Real Cost of Flat Networks

When attackers hit an unsegmented network, they spread laterally until someone notices. A compromised SharePoint server accesses domain controllers. A breached collaboration platform reaches customer databases. An infected document server talks to operational technology.

The blast radius isn't theoretical anymore, it's measurable in complete domain takeover within hours.

How to Actually Stop This

Patch immediately -- Enable AMSI integration and deploy Microsoft Defender on SharePoint servers

Isolate if you can't patch -- Disconnect internet-facing SharePoint until updates are available

Monitor for exploitation -- Watch for POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit (especially if those requests come from external IPs or unauthenticated sources)

Start network segmentation -- Create barriers between SharePoint and critical systems

Segment by function -- Group systems by business purpose, not network convenience

The Bottom Line

SharePoint Online (cloud) wasn't affected by this zero-day. Cloud providers implement segmentation by default. On-premises environments rely on you making deliberate architectural decisions.

Organizations getting breached this week aren't those with the worst IT teams, they're the ones that assumed internal networks were trusted spaces.

The zero-day will get patched. The next vulnerability is already being discovered. The question is whether attackers will find highways or roadblocks when they get inside.

Stay connected,
The Packet Pulse Team