By Option One Technologies
Cybersecurity News
Microsoft SharePoint Zero-Day Campaign Compromises 400+ Organizations
A devastating zero-day attack chain targeting on-premises Microsoft SharePoint servers has compromised over 400 organizations globally since July 18, 2025, CyberScoop reported. The “ToolShell” campaign exploits CVE-2025-53770, a critical remote code execution vulnerability with a CVSS score of 9.8, combined with CVE-2025-53771, an authentication bypass flaw.
Attackers leverage these vulnerabilities to deploy malicious ASPX files that extract cryptographic keys from server configurations, enabling persistent access even after initial patches are applied. The campaign has impacted critical sectors including government agencies, healthcare systems, financial institutions, and educational organizations across multiple countries.
Three distinct China-based threat groups are conducting the attacks: state-backed APT groups Linen Typhoon and Violet Typhoon focus on espionage, while Storm-2603 deploys Warlock and Lockbit ransomware for financial gain.
Microsoft has released emergency patches for all supported SharePoint versions and recommends immediate deployment of AMSI integration with Microsoft Defender Antivirus.
“Additional actors will continue to use these exploits to target unpatched on-premises SharePoint systems, further emphasizing the need for organizations to implement mitigations and security updates immediately,” the company said, according to a DarkReading report.
“Investigations into other actors also using these exploits are still ongoing,” Microsoft’s also said. “With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems.”
Scattered Spider Activity Temporarily Disrupted Following UK Arrests
The notorious Scattered Spider cybercriminal group experienced significant operational disruption following the arrest of four individuals in the UK on July 10, 2025, Infosecurity Magazine reported. The arrests, conducted by the National Crime Agency (NCA), targeted suspects linked to April 2025 cyberattacks against major British retailers.
Scattered Spider has also been blamed for attacks against airlines that occurred in June. This was after a string of other attacks by the group targeting “high-profile industries,” The Record reported.
Since the arrests, cybersecurity firms have reported a lull in intrusions directly attributable to Scattered Spider’s core operations. However, security researchers warn that the threat has not diminished, as other affiliated groups continue employing similar social engineering tactics.
Most recently, CrowdStrike reported that the group has “reduced breakout time so much so that in one 2025 incident, the threat actor moved from initial access to encryption in 24 hours,” SC Media reported.
“Scattered Spider excels at using identity compromise to pivot between multiple surfaces in a network, evading targeted organizations’ heavily monitored endpoints,” wrote the CrowdStrike researchers. “This includes performing bulk exports of Microsoft Entra ID data, obtaining credentials from privileged access management applications, and even performing help desk social engineering calls during the intrusion to gain access to accounts with higher privileges.”
The group’s distributed nature means operations may resume once members adapt to increased law enforcement attention. Scattered Spider’s impact remains substantial. The group’s UK retail attacks cost an estimated 440 million British pounds.
Hackers Use Legitimate Email Protections to Deliver Microsoft 365 Phishing Campaigns
Cybersecurity researchers say a new phishing campaign conceals malicious payloads by abusing link wrapping services from Proofpoint and Intermedia to bypass defenses, The Hacker News reported. Observed over the past two months, the activity is another example of how threat actors can use legitimate tools to perform malicious actions, such as redirecting users to fake Microsoft 365 phishing pages.
“Link wrapping is designed by vendors like Proofpoint to protect users by routing all clicked URLs through a scanning service, allowing them to block known malicious destinations at the moment of click,” Cloudflare wrote its report.
When these hijacked accounts send malicious emails, the embedded links are automatically wrapped in trusted formats.
“While [link wrapping] is effective against known threats, attacks can still succeed if the wrapped link hasn’t been flagged by the scanner at click time.”
Cloudflare researchers highlighted instances of “multi-tiered redirect abuse,” where attackers obscure links first with URL shorteners, then use Proofpoint’s services for further obfuscation. The resulting redirect chain passes through multiple trusted wrappers, increasing the attack’s likelihood of success.
Victims frequently encounter phishing emails appearing as voicemail or Microsoft Teams notifications. These urge recipients to click on links that eventually deliver them to deceptive Microsoft 365 login pages, harvesting credentials in the process. Other campaigns mimic Zoom notifications to lure users into credential theft via fake “meeting timed out” messages.
The campaign’s effectiveness is further heightened using SVG files, which can conceal scripts and interactive elements, and by exporting stolen data via Telegram for rapid attacker access. Proofpoint and other security vendors acknowledge this abuse and are updating behavioral AI detection to flag and block such campaigns across their platforms.
This surge in sophisticated phishing methods underscores the need for organizations to continually adapt their defenses and educate users on evolving attack vectors.
Cybersecurity Tips
CTO/CDO Discusses Making Technology Decisions “at the Speed of AI”
In a recent interview published in CIO Magazine, Afshean Telasaz, SVP of strategic projects and innovation and chief technology and data officer at Colonial Pipeline, discussed taking “an intentional approach” to AI and technology decision-making. This has become increasingly important due to the “relentless pace of technology and business change,” as well as the arrival of autonomous and agentic AI.
Telasaz emphasized the need for clarity, adaptability, and thoughtful trade-offs as technology leaders navigate rapid shifts in business and IT landscapes. He underscored the importance of keeping the mission at the forefront to guide decisions, especially amid uncertainty or when critical changes arise.
Not all change, however, is necessary; successful leadership sometimes means knowing what to keep stable, as well as what to change and when.
Addressing adaptability, Telasaz recommended mastering the fundamentals, celebrating incremental wins, and fostering team trust and diversity. Drawing parallels from his lifelong passion for music, he compared business transformation to performing in an ensemble, stressing the value of active listening, responding in real time, and moving forward after mistakes.
Looking to the future, he highlighted tremendous opportunities at the intersection of IT and operational technology, especially through targeted AI use and holistic platform development. Telasaz encouraged technology executives to first become students of their business and to be both bold and practical. They must be clear in their goals, grounded in the mission, and engaged, crafting foundational strategies for resilient, competitive organizations.
“When we can make the path clear, our team members and business partners can walk the journey with more confidence and trust.”
