Active Exploits Targeting Microsoft SharePoint Environments

Microsoft has confirmed ongoing attacks exploiting vulnerabilities in on-premises SharePoint Server (CVE-2025-53770 and CVE-2025-53771), affecting SharePoint 2016, 2019, and Subscription Edition.

These attacks involve unauthorized file creation and obfuscated PowerShell commands, often executed through IIS worker processes. Microsoft Defender has flagged malware such as HijackSharePointServer.A and SuspSignoutReq.A as part of the threat activity.

Key indicators of compromise include:

• Creation of spinstall0.aspx in SharePoint layouts directories.
  
  

• PowerShell commands executed via w3wp.exe.
  
  

• Defender alerts indicating suspicious IIS behavior or malware presence.

Microsoft has released security updates and urges organizations to patch immediately, rotate machine keys, and enable AMSI scanning.

How IPQS can help protect your environment:

IPQS adds an essential multi-layer of protection against early-stage compromise and post-exploit activity:

• IP reputation scoring identifies and blocks access from high-risk IPs, including residential proxies and rotating infrastructure.
  
  

• Device fingerprinting detects anomalies and unauthorized access attempts across sessions and endpoints.
  
  

• Real-time cyber threat intelligence enables proactive threat hunting and blocking based on attacker behavior patterns.

Recently flagged suspicious IPs linked to this activity:

185.220.101.54
45.153.160.140
103.208.220.130
188.166.89.82

As attackers take advantage of zero-day exploits and unpatched systems, security teams need deeper visibility into who is connecting and how. IPQS helps organizations detect and block cyber threats before they escalate.

If your team is managing on-prem SharePoint infrastructure, it’s time to patch—and to evaluate your exposure across access points.