Cyber Intelligence Briefing: 04 Aug 2025. Five Vulnerabilities in Microsoft SharePoint

Assured’s CISO reacts:

This zero day shows how quickly SharePoint flaws can be weaponised, with ToolShell exploited to drop Warlock ransomware. Organisations must patch CVE‑2025‑53770/53771 immediately and harden endpoints to block further compromise.

If your business runs SharePoint, review these five steps:

1. M1042) Patch Management:

• Mitigation:
  • Ensure comprehensive and immediate deployment of correct SharePoint patches (CVE‑2025‑53770/53771).
• Step A (Intune):
  • Create a Win32 app deployment targeting servers running SharePoint 2016/2019/Subscription Edition, configured to install KB5002741 and KB5002744, or the updated July cumulative patches. In the Intune Win32 installer .intunewin package’s DetectionRules, use file version check at C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\BIN\Microsoft.SharePoint.dll version ≥ 16.0.10417.20037.
• Step B (GPO via WSUS):
  • Use a GPO to set “Automatic Updates detection frequency” in Computer Configuration → Administrative Templates → Windows Components → Windows Update, configure to every 1 day, ensure servers receive SharePoint server security updates within 24 hours. In WSUS, create an approval rule that auto-approves any update matching KB5002741, KB5002744, CVE‑2025‑53770, CVE‑2025‑53771.

2. M1015) Exploit Prevention:

• Mitigation: Harden SharePoint’s unsafe endpoints (ToolPane.aspx, ViewState).
• Step A (GPO):
  • Deploy a SharePoint Web.config patch via Group Policy Preferences XML under Computer Configuration → Preferences → Windows Settings → Files targeting %ProgramFiles%\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\ToolPane.aspx and ensure <safeControls> section disables Microsoft.PerformancePoint.Scorecards.ExcelDataSet
  • Include XML snippet:
    • <SafeControl Assembly=”Microsoft.PerformancePoint.Scorecards.Client”
      Namespace=”Microsoft.PerformancePoint.Scorecards.ExcelDataSet”
      TypeName=”ExcelDataSet”
      Safe=”False” />
• Step B (Intune):
  • Deploy a custom Configuration Profile using PowerShell script:
    • $webconfig = ‘C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\16\TEMPLATE\LAYOUTS\web.config’
      [xml]$cfg = Get-Content $webconfig
      $sc = $cfg.configuration.SharePoint.SafeControls.SelectSingleNode(“//SafeControl[@TypeName=’ExcelDataSet’]”)
      $sc.SetAttribute(‘Safe’,’False’)
      $cfg.Save($webconfig)

  • Deploy as PowerShell script in Intune requiring elevated context.

3. M1035) Data Encryption:

• Mitigation: Refresh ASP.NET MachineKey to invalidate stolen keys extracted by attackers via ToolShell
• Step A (Intune):
  • Deploy a PowerShell script to generate new machineKey and update web.config:
    • $conf = [System.Web.Configuration.WebConfigurationManager]::OpenWebConfiguration(‘/’)
      $section = $conf.GetSection(“system.web/machineKey”)
      $section.DecryptionKey = (New-Object System.Web.Security.RNGCryptoServiceProvider).GetBytes(64) | ForEach { “{0:x2}” -f $_ } -join ”
      $section.ValidationKey = (New-Object System.Web.Security.RNGCryptoServiceProvider).GetBytes(64) | ForEach { “{0:x2}” -f $_ } -join ”
      $section.Validation = “SHA1”
      $conf.Save()
  • Ensure script is targeted to SharePoint servers only.
• Step B (GPO):
  • Use Group Policy Preferences to deploy a pre-generated <machineKey> block into each SharePoint web application’s web.config. Define a .config file resource mapped to each SP web root with precise <machineKey> entries including unique validationKey and decryptionKey.

4. M1056) Behavior Monitoring (EDR / AMSI Integration)

• Mitigation: Enable AMSI in SharePoint and deploy EDR with behavioral detection to catch zero-day exploitation and webshells.
• Step A (GPO):
  • Set registry keys via GPO at Computer Configuration → Preferences → Windows Settings → Registry:
    • Hive: HKEY_LOCAL_MACHINE
      Key Path: SOFTWARE\Microsoft\SharePoint\Setup\14.0\Config
      Value Name: EnableAMSI
      Type: REG_DWORD
      Data: 1
  • And also ensure HKLM\System\CurrentControlSet\Services\Sense (Windows Defender AMSI) is set to start automatically.
• Step B (Intune):
  • Deploy and configure EDR vendor agent (e.g. Microsoft Defender for Endpoint) using Intune Device Configuration. Assign “Endpoint_RCE_and_webshell” detection policy active, with indicators including spinstall0.aspx or ghostfile*.aspx filenames, and monitor execution of cmd.exe from w3wp.exe.

5. M1030) Session Token Protection / Logging and Monitoring

• Mitigation: Enable detailed IIS logging and monitor POST requests to ToolPane.aspx and unauthorized file uploads.
• Step A (GPO):
  • Use Group Policy Preferences to modify IIS configuration (applicationHost.config) adding a request filtering rule:
  • <system.webServer>
    <security>
    <requestFiltering>
    <fileExtensions>
    <add fileExtension=”.aspx” allowed=”true” />
    </fileExtensions>
    </requestFiltering>
    </security>
    <traceFailedRequests loggingEnabled=”true” maxLogFileSizeKB=”10240″>
    <traceAreas>
    <add provider=”ASP” areas=”PostAuthenticateRequestHandler” verbosity=”Verbose” />
    </traceAreas>
    </traceFailedRequests>
    </system.webServer>
• Step B (Intune):
  • Deploy a PowerShell script scheduled via Intune to scan IIS logs daily for /layouts/15/ToolPane.aspx POST entries with Referer: *_layouts/SignOut.aspx* and any uploads to ...\LAYOUTS\ghostfile*.aspx. Script writes alerts to Windows Event Log under custom source ToolShellWatch, so SIEM ingestion can yield alerts.

Assured’s CISO reacts:

Link wrapping rewrites the URLs in the message to a trusted domain and passes them through a scanning server designed to block malicious destinations. Email security products such as Microsoft Defender and Mimecast have similar features, but due to the nature of the account compromise, are unlikely to be affected.

If you are a Proofpoint or Intermedia customer, we recommend applying the following:

1. Microsoft 365 Defender (Advanced Hunting) — Detection Rules:

• Purpose: Detect internal account abuse or delivery of malicious URLs via email.
• Steps:
  • Create a Kusto detection rule in Microsoft 365 Defender → Advanced Hunting → EmailEvents:
    • kqlCopyEditEmailUrlInfo
      | where Url in~ (
      “https://ddms03smf0d0dqeqmm.z21.web.core.windows.net/”,
      “https://Gojo.lci-nd.com”,
      “https://7sovxyhbb.cc.rs6.net/error.jsp?e=7sovxyhbb”,
      “https://url.emailprotection.link/”,
      “https://s7991.mjt.lu/lnk/”,
      “https://urldefense.proofpoint.com/v2/url?”
      )
      | project Timestamp, Url, RecipientEmailAddress, SenderFromAddress, ThreatTypes
  • Configure an alert rule that triggers when a match is found and assign severity = High. Use automated response to isolate user/device and generate a Defender incident.

2. Firewall or Proxy (e.g., via GPO + Windows Defender Firewall):

• Purpose: Prevent network-layer access to malicious domains.
• Steps:
  • In GPO, define a new outbound rule in Computer Configuration → Policies → Windows Settings → Windows Defender Firewall with Advanced Security to block traffic to domains like:
    • *.z21.web.core.windows.net
    • *.lci-nd.com
    • *.emailprotection.link
    • *.mjt.lu
    • *.rs6.net
    • *.bitly.com
    • *.tinyurl.com
  • Set the rule to apply only for specific apps (e.g., Outlook.exe, chrome.exe, powershell.exe) to avoid blocking critical infrastructure unless needed.

3. Exchange Online Protection (EOP) — Block URL Patterns:

• Purpose: Block email delivery containing IOCs in URLs.
• Steps:
  • In the Security & Compliance Center, create a new Mail Flow Rule (Transport Rule):
    • Condition: If message body or subject includes these words/phrases
    • Match patterns like:
      • proofpoint.com/v2/url?u=
      • emailprotection.link
      • lci-nd.com
      • z21.web.core.windows.net
  • Action: Reject the message with explanation or Quarantine message with high severity depending on your policy.

4. Windows Defender Application Control (WDAC) — URL Restrictions via ASR:

• Purpose: Prevent users from opening malicious URLs using Office apps..
• Steps:
  • In Intune, enable the ASR rule: Block Office applications from creating child processes via CSP AttackSurfaceReductionRules_26190899-1602-49e8-8b27-eb1d0a1ce869 set to Enabled.
  • Combine with a custom ASR rule to block Office apps from launching URLs with a regex match for domains in the IOC list by setting PowerShell rule conditions via:powershellCopyEditNew-MpPreference -AttackSurfaceReductionOnlyExclusions "z21.web.core.windows.net", "lci-nd.com"