Sharepoint Vulnerabilities, Scattered Spider Ecosystem
Threat Content Highlights
Threat Objects-
- New Campaign published on Monday around the SharePoint vulnerabilities that have been trending since the weekend. Incident responders identified suspected zero-day (previously undisclosed), mass exploitation activity where attackers were able to perform remote code execution by extracting cryptographic keys from internet-connected, on-premises SharePoint servers.
- Vulnerability exploit-focused objects in Tidal Cyber typically represent opportunities to explore where you might have downstream defensive coverage (or gaps) relevant to a particular campaign – learn more in our playbook here.
- New Campaign published on Monday around the SharePoint vulnerabilities that have been trending since the weekend. Incident responders identified suspected zero-day (previously undisclosed), mass exploitation activity where attackers were able to perform remote code execution by extracting cryptographic keys from internet-connected, on-premises SharePoint servers.
Threat Profiles
“Trending & Emerging Threats” weekly update: Scattered Spider Ecosystem
- We are once again highlighting this curated Profile, which we last spotlighted here in early June, after incident responders published details on an intrusion attributed to the group, which they described as “the first reported Scattered Spider attack chain of 2025”. The latest update to the Profile includes the new Campaign we published and an update to Tool weightings.
-
- Despite recent news reporting that highlighted how the group continues to reuse the same/similar initial access techniques (like voice-based social engineering), this new Campaign includes four notable Techniques newly linked to Scattered Spider (T1651, T1098.002, T1562.007, T1070.008), underscoring the group’s continued post-compromise behavior evolution and need for defender awareness around these techniques (and relevant defenses).