Hackers Actively Exploiting Critical Exchange & SharePoint Server Vulnerabilities

Microsoft has warned organizations worldwide that threat actors are ramping up their exploitation of critical vulnerabilities in on-premises Exchange Server and SharePoint Server.

These attacks, observed in recent months, have enabled cybercriminals to gain persistent and privileged access to targeted environments, leading to remote code execution, lateral movement, and the exfiltration of sensitive data.

While Exchange and SharePoint servers have long been attractive targets due to the sensitive data they store, attackers are now deploying increasingly sophisticated techniques.

NTLM Relay and Stealthy Persistence Techniques

A notable shift has been the rise of NTLM relay and credential leakage attacks against Exchange Server. In these scenarios, attackers exploit weaknesses in the NTLM authentication protocol by relaying stolen credentials to vulnerable servers, potentially compromising user accounts and enabling further malicious activity.

Recent campaigns have leveraged vulnerabilities that allow attackers to capture and relay NTLM hashes, often targeting privileged accounts for maximum impact.

SharePoint Server attacks have also become more covert. Threat actors have been observed modifying legitimate files, such as appending web shell code to existing pages and deploying remote monitoring and management (RMM) tools.

These tactics enable persistent, stealthy access that is difficult to detect using traditional security measures.

AMSI Integration Raises the Bar

To counter these threats, Microsoft has integrated the Windows Antimalware Scan Interface (AMSI) into both Exchange and SharePoint Server. AMSI acts as a security filter within the IIS pipeline, inspecting incoming HTTP requests, including request bodies for malicious content, before they reach the application layer.

When a threat is detected, AMSI blocks the request in real-time, returning an HTTP 400 Bad Request response and preventing exploitation before official patches can be applied.

This proactive defense is especially critical for zero-day vulnerabilities, where attackers often strike before organizations have a chance to update their systems.

AMSI’s integration ensures that malicious attempts such as SSRF, web shell deployment, and credential theft are detected and blocked, with incidents surfaced to Microsoft Defender for further investigation and remediation.

Microsoft strongly urges organizations running on-premises Exchange or SharePoint servers to:

• Apply the latest security patches and updates without delay.
• Enable AMSI integration and ensure compatible antimalware solutions are active.
• Audit and harden NTLM authentication configurations, enabling Extended Protection for Authentication (EPA) where possible.
• Monitor for suspicious activity, such as abnormal HTTP requests or unauthorized mailbox access.

As attackers continue to innovate, layered defenses and rapid response remain essential to protecting critical business assets from compromise.

Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy