From the Trenches: When Zero-Days Meet Multi-Stakeholder Reality
The 9 AM Call Nobody Wants
Working in Incident Response for many years now, I've responded to my fair share of security incidents. But it’s never a good feeling when you identify Indicators of Compromise (IOCs) in a customers environment, knowing that the vulnerability they exploited was announced just days earlier. What followed was a demonstration in the reality of zero-day response when your incident spans multiple organisations, time zones, and competing priorities.
The recent SharePoint vulnerabilities (CVE-2025-49704, CVE-2025-49706, and CVE-2025-53770) have been actively exploited since July 7, giving threat actors a significant head start before public disclosure. The incident provided a front-row seat to just how quickly attackers can move, and more importantly, how complex modern incident response becomes when it crosses organisational boundaries.
The Threat Landscape: SharePoint in the Crosshairs
SharePoint environments have become increasingly attractive targets, and for good reason. Widely used in enterprise environments, these hold sensitive business data, and often have complex permission structures that can hide malicious activity. The recent vulnerability campaign specifically targets these environments through complicated techniques that bypass previously patched security flaws.
The technical details are quite alarming. These vulnerabilities let attackers use remote code execution and privilege escalation, allowing them to deploy malicious .aspx files that appear to be legitimate SharePoint functionality. For defenders, this creates a nightmare scenario where malicious code can hide in plain sight within a platform that hundreds of users access daily.
What makes this campaign particularly challenging is the speed. With active exploitation beginning weeks before public disclosure, many organisations find themselves playing catch-up against adversaries who had already established persistence in their environments.
The Incident: When Reality Hits the Runbook
Discovery: Finding Needles in Digital Haystacks
The initial detection came as a result of investigation into issues with the customers Sharepoint and its availability. What started as a routine service investigation quickly escalated when we identified several suspicious .aspx files that matched the IOCs identified in previously shared threat intelligence.
The technical analysis revealed sophisticated attack techniques designed to maintain persistence while evading detection. We were dealing with adversaries who understood SharePoint architecture and its associated vulnerabilities, and were taking advantage of these.
Assembling the Response Dream Team (And Managing the Chaos)
Here's where incident response theory meets messy reality. Our response required coordination between:
Our SOC team: Responsible for threat hunting and initial technical analysis
Our NOC team: Managing network-level containment and monitoring
The customer: Business stakeholders who needed to understand impact and make decisions
The SharePoint service provider: A third-party vendor managing the customer's SharePoint infrastructure
If you've ever tried to coordinate a conference call between four different organisations during an active security incident, you know this is where incident response playbooks meet their match. Each team brought essential capabilities, but also their own processes, priorities, and communication styles.
The customer needed immediate answers about business impact. The service provider needed detailed technical evidence before making changes to production systems. Our teams needed access and cooperation from everyone to conduct effective analysis. It was a challenge to say the least.
Key Challenges: Where Theory Meets Organisational Reality
Challenge 1: The Multi-Stakeholder Coordination Nightmare
The biggest challenge wasn't technical, it was human. Coordinating incident response across four organisations with different priorities, processes, and communication styles turned every decision into a negotiation. Ultimately supporting the customer and setting realistic expectations is crucial to allaying any fears associated with a compromise like this.
Each stakeholder had valid requirements needs, but coordinating these requirements together during an active incident felt like an impossible balancing act. We learned quickly that establishing clear communication protocols and decision-making authority early in the response is crucial for multi-stakeholder incidents.
Challenge 2: SharePoint-Specific Technical Hurdles
SharePoint environments present unique challenges for incident responders. The platform's complexity means that distinguishing between legitimate administrative activity and malicious behavior requires deep platform expertise. The architecture allows for numerous persistence mechanisms that traditional endpoint detection tools might miss.
Our investigation was further complicated by the managed service model. Unlike incidents where we have direct access to affected systems, we had to work through the service provider for many activities. This added communication overhead and time delays to tasks.
The malicious .aspx files themselves were designed to exploit this complexity. They leveraged legitimate SharePoint APIs and functionality, making them difficult to distinguish from normal business applications without detailed behavioral analysis.
Challenge 3: MSSP-Specific Considerations
Operating as an MSSP during this incident highlighted unique challenges that internal security teams don't face. We had to manage customer expectations while coordinating with a third-party service provider that had their own customer relationships and priorities.
Our service level agreements suddenly became very relevant when the customer wanted to know why containment was taking longer than our standard incident response timelines. Explaining that we needed cooperation from a third-party vendor to implement containment measures isn't exactly the kind of conversation any organisation wants to have during an active incident.
We also had to balance transparency with operational security. The customer wanted detailed updates, but sharing too much technical information could compromise ongoing investigative activities or reveal sensitive details about our detection capabilities.
Tactical Recommendations: Lessons from the Field
Detection Strategies That Actually Work
Based on our experience with this incident, traditional signature-based detection is insufficient for SharePoint-targeted attacks. Behavioral analytics and anomaly detection prove far more effective at identifying the initial compromise for this type of compromise.
The most important lesson: your detection strategy needs to account for the legitimate complexity of SharePoint environments. False positives will impact the trust of stakeholders quickly, especially when alerts require coordination across multiple organisations.
Response Playbook Modifications
Our standard incident response playbooks needed significant adaptation for multi-stakeholder SharePoint incidents. The modifications focused on two key areas:
Communication protocols: We developed specific escalation paths and communication channels for incidents involving third-party service providers.
Stakeholder management: We learned to conduct parallel workstreams for different stakeholder groups. Technical teams could continue investigation activities while customer communications focused on business impact and remediation timelines.
Preparation and Prevention
The most valuable lesson from this incident was the importance of preparation before you need it. Multi-stakeholder incidents are too complex to figure out during the crisis.
Key preparation activities that would have saved us significant time:
Pre-established communication channels with critical service providers
Documented asset inventories including third-party managed systems
Regular tabletop exercises that include external partners
Legal frameworks for information sharing during security incidents
Strategic Insights: The MSSP Perspective
Service Delivery Evolution
This incident forced us to review several aspects of our service delivery model. The experience highlighted the need for more sophisticated customer education around shared responsibility models. Many customers assume that hiring an MSSP provides complete security coverage, but incidents like this demonstrate the critical importance of third-party vendor security postures.
Operational Improvements
We have identified so operational changes that could improve the incident response process for similar incidents, based on lessons learned from this incident:
Cross-training initiatives: Our team members need broader platform expertise to handle incidents across diverse technology stacks. SharePoint expertise can't be concentrated in one or two team members when incidents require 24/7 response capabilities.
Tool integration enhancements: We should assess our monitoring and analysis tools to see if there is opportunity for better integration with common enterprise platforms like SharePoint. The time spent analysing data from different sources during an active incident could possibly be reduced, impacting attackers’ ability to expand their foothold.
Escalation procedure refinements: We're developing specific escalation paths for incidents that require third-party vendor coordination. This includes pre-negotiated response timeframes and communication protocols. These should be tested as part of the Incident Response Tabletop Exercises.
Looking Forward: Preparing for the Next Campaign
Threat Evolution
Based on our analysis of this campaign and historical attack patterns, we expect threat actors to continue refining their SharePoint exploitation techniques. The success of this campaign will likely inspire copycat attacks and further innovation in SharePoint-targeted malware.
Organisations should prepare for attacks that leverage legitimate SharePoint functionality more extensively, making detection increasingly challenging. The trend toward "living off the land" techniques will continue, requiring defenders to focus more on behavioral detection than signature-based approaches.
Organisational Readiness
The most important preparation organisations can make is improving their multi-stakeholder incident response capabilities. The days of purely internal security incidents are largely over. Modern attacks routinely span multiple organisations, requiring coordination across different security cultures and operational models.
Key readiness improvements we recommend:
Regular multi-organisation tabletop exercises
Pre-established communication channels with critical vendors
Cross-training on platforms managed by third-party providers
Conclusion: The Human Element in Technical Incidents
Technical vulnerabilities may initiate security incidents, but human coordination determines their outcomes. This incident was ultimately resolved, not through superior technical analysis (though that was important), but through effective collaboration between teams with different priorities and processes. The most sophisticated detection tools and response procedures are worthless if you can't coordinate effectively with the stakeholders needed to implement containment and remediation. In our interconnected business environment, incident response has become as much about project management and stakeholder communication as it is about technical analysis.
The SharePoint zero-day campaign provided a valuable reminder that modern cybersecurity is fundamentally a team sport. The attackers we're facing are sophisticated, well-resourced, and quick to exploit new vulnerabilities. Our response needs to be equally coordinated and fast-paced, even when that coordination spans multiple organisations with competing priorities.
For my fellow incident responders: prepare for the human complexity as much as the technical complexity. Your next major incident will likely require coordination with stakeholders you've never worked with before, using communication channels you've never tested. The technical skills that got you into incident response are table stakes, the coordination skills will determine whether you successfully contain the next campaign.
If you've faced similar multi-stakeholder incidents, I'd love to hear about your experiences and lessons learned. The security community succeeds when we share these real-world insights, especially the messy organisational challenges that don't make it into most incident reports. Connect with me to share your own stories from the trenches. After all, we're all in this together, whether we're coordinating across SOC teams, NOC teams, customers, and service providers, or just trying to get everyone on the same conference call without technical difficulties.
Because nothing says "cybersecurity professional" quite like spending 5 minutes explaining a key piece of information, and then realising you have been on mute the whole time.