Microsoft issued an urgent alert following reports of “active attacks” exploiting a critical vulnerability in SharePoint Server, specifically, SharePoint on-prem (on-premises) versions used by government agencies and private organizations for internal file sharing and collaboration.
The zero-day attack targeted a previously unknown flaw in SharePoint Server 2016 and 2019. According to Microsoft and federal cybersecurity officials, the vulnerability allows an attacker with access to the network to conduct spoofing attacks in which malicious actors impersonate trusted users or systems. While details remain limited, Microsoft has confirmed that SharePoint Online in Microsoft 365 is not affected.
The company released a security update and urges on-prem customers to apply patches immediately. For organizations that cannot do so or lack the ability to implement Microsoft’s recommended malware protections, the guidance was clear: disconnect vulnerable servers from the internet.
A Wake-Up Call for Legacy Systems Like SharePoint On-Premises
Zero-day attacks are always concerning, but this Microsoft SharePoint attack is a strong reminder that Microsoft’s strategic focus is on its cloud-based offerings. SharePoint Online receives more frequent updates and continuous monitoring and benefits from Microsoft’s full suite of cloud-native security tools.
SharePoint Server sees far less investment in development and defense than Microsoft’s cloud-based offerings.
No platform is invincible, but Microsoft has far more resources deployed to protect its cloud environments. If SharePoint Online were compromised, the ripple effects would be enormous. That’s why its architecture is layered with advanced DDoS protection, behavioral analytics, threat intelligence and physical data center security. These capabilities are capabilities that most individual organizations running SharePoint on-prem simply can’t match.
The Risks of Staying On-Premises
Enterprises relying on on-premises SharePoint are facing a growing list of challenges, including:
- Outdated security models: On-prem systems rely heavily on perimeter-based security, which has proven insufficient against modern attack vectors like zero-day exploits and ransomware.
- Delayed patch cycles: Security patches must be manually applied, often resulting in dangerous lag times where systems remain exposed.
- Limited visibility and monitoring: Many organizations lack real-time threat detection and response capabilities for on-prem environments.
- High cost of ownership: Maintaining on-prem infrastructure, licensing, backups and disaster recovery adds significant overhead without the agility today’s threat landscape demands.
This attack is a cue to revisit long-term technology stack plans and ensure they reflect today’s risks.
If your team is already considering a move to Microsoft 365 or exploring cloud migration options, this may be the moment to reassess timelines and priorities.
Why Security-Focused Organizations Are Moving to Microsoft 365 and the Cloud
In response to ongoing vulnerabilities, many organizations are accelerating plans to move away from legacy on-prem platforms like SharePoint Server in favor of Microsoft 365 and SharePoint Online. The benefits go beyond just security patches. Microsoft 365 offers:
- Built-in zero trust architecture to continuously confirm identity, device and context before granting access.
- 24/7 monitored infrastructure
- Built-in redundancy and automatic updates, including tooling, auditing and policy enforcement
- A more modern and scalable collaboration experience
- Advanced enterprise-grade full cloud security stack and threat detection and response tools like Microsoft Defender for Cloud Purview and Sentinel
- Centralized management and reduced infrastructure overhead
Microsoft 365 also positions organizations to take advantage of additional capabilities, like AI integrations, secure external sharing and enhanced compliance features.
What Comes Next
Microsoft is continuing to monitor the threat and has engaged with agencies like CISA and DOD Cyber Defense Command. As updates are released, IT teams will need to act quickly, not just to patch systems, but to ensure broader infrastructure is resilient against evolving threats.
If you’re running SharePoint on-prem, this is a good time to:
- Confirm whether your environment is affected (SharePoint Server 2016 and 2019)
- Apply the latest Microsoft security updates immediately
- Ensure the Antimalware Scan Interface (AMSI) is turned on and configured correctly, with an appropriate antivirus solution, such as Microsoft Defender Antivirus.
- Deploy Defender for Endpoint protection or equivalent threat solutions. This will inform you if another server or endpoint has been attacked.
- Rotate SharePoint Server ASP.NET machine keys.
- Evaluate your existing malware protection and patching processes
- Revisit cloud migration strategies already on your roadmap
Review the Microsoft Security Response Center (MSRC) blog post for updates and detailed guidance on the above actions, as well as detection, protection, and threat hunting related to the SharePoint attack.
If your organization is re-evaluating its SharePoint footprint or long-term IT strategy, now is the time to make progress toward a more secure, cloud-based foundation. For more on how Microsoft 365 supports that shift, check out our post on 11 Key Benefits of Microsoft 365 for Your Organization.
Contact Us
Whether you’re addressing the SharePoint on-prem attack or rethinking your roadmap, our Cyber and Information Security Services Team and our cloud experts can help assess risk and guide next steps.
