In a stern advisory to organizations worldwide, Microsoft has raised the alarm over a surge in cyberattacks exploiting critical vulnerabilities in on-premises Exchange Server and SharePoint Server environments.
The tech giant warns that these attacks, observed over recent months, are increasingly sophisticated and pose a significant threat to organizational data and infrastructure.
According to Microsoft, threat actors are leveraging these vulnerabilities to gain persistent, privileged access to targeted systems, allowing them to execute remote code, move laterally across networks, and exfiltrate sensitive data. The growing complexity of these attack chains highlights the evolving capabilities of cybercriminal groups.
NTLM Relay and Stealthy Intrusions on the Rise
One of the most concerning developments is the increased use of NTLM relay and credential theft attacks against Exchange Server. By exploiting weaknesses in the NTLM authentication protocol, attackers are able to capture and relay stolen credentials to gain unauthorized access. These attacks often target privileged accounts, amplifying the potential damage.
Meanwhile, attacks on SharePoint Server have taken a more covert turn. Threat actors have been seen modifying legitimate files—such as appending web shell code to existing pages—and deploying Remote Monitoring and Management (RMM) tools to maintain undetected, long-term access. These stealthy methods make detection by conventional security tools challenging.
Proactive Defense with AMSI Integration
In a significant move to bolster defenses, Microsoft has integrated the Windows Antimalware Scan Interface (AMSI) into both Exchange and SharePoint Server. Acting as a real-time filter within the IIS pipeline, AMSI inspects incoming HTTP requests—including the request bodies—for signs of malicious activity.
ALSO READ: Call for Cyber Experts: Join FCRF Academy as Trainers and Course Creators
When a threat is detected, AMSI proactively blocks the request, returning an HTTP 400 Bad Request error, effectively neutralizing the threat before it can exploit the system—even in the absence of a formal patch. This is especially vital in the context of zero-day vulnerabilities, where attackers often move quickly to exploit systems before patches are available.
Microsoft notes that AMSI integration significantly strengthens the ability to detect and prevent web shell deployments, Server-Side Request Forgery (SSRF), and credential theft attempts. These alerts are then surfaced to Microsoft Defender, enabling further analysis and rapid response.
ALSO READ: Call for Chapters: Contribute to the Book “Cyber Crime – From Theory to Practice”
Urgent Recommendations for Organizations
To mitigate the growing risks, Microsoft is urging all organizations still relying on on-premises Exchange and SharePoint servers to take the following critical actions:
- Apply all available security updates and patches immediately
- Enable AMSI integration and ensure compatible antimalware tools are running
- Audit and secure NTLM authentication configurations, including enabling Extended Protection for Authentication (EPA)
- Monitor network activity vigilantly, looking for unusual HTTP traffic or unauthorized mailbox access
With attackers constantly refining their techniques, Microsoft stresses the importance of layered security defenses and swift incident response to safeguard mission-critical assets and sensitive information.