Two Threat Actors Shared a Compromised SharePoint Environment, Microsoft DART Reveals
Microsoft's DART team uncovered two separate threat actors, including Storm-2603, simultaneously operating inside the same on-premises SharePoint environment, using Velociraptor, Cloudflare tunnels, Zoho Assist, and VS Code SSH for persistence.
A routine ransomware investigation turned into something far more alarming when security researchers uncovered two separate threat actors quietly sharing the same compromised environment. What started as a single intrusion quickly revealed a far more complex operation involving multiple remote access tools, tunneling software, and legitimate administrative utilities weaponized for long-term persistence inside a target network.
The attack centered on on-premises SharePoint servers, which had been under sustained pressure since mid-2025. The threat actor, tracked as Storm-2603, exploited known vulnerabilities while probing for additional entry points. Requests were made for sensitive files like win.ini and web.config, suggesting reconnaissance for local file inclusion weaknesses, though full exploitation of this specific vector was not confirmed during the investigation.
Analysts at Microsoft identified the full scope of this campaign after correlating signals across identities, endpoints, and cloud infrastructure. Their Detection and Response Team, known as DART, uncovered the coordinated use of multiple tools to sustain access, escalate privileges, and stay completely hidden inside the target network for an extended period without raising any alarms.
Once inside, the attackers layered their access using a combination of well-known and trusted tools. Storm-2603 deployed Velociraptor, a legitimate open-source forensic and incident response tool, with SYSTEM-level privileges to map the compromised environment. Since Velociraptor is widely trusted and commonly used by security teams, its presence blended seamlessly with normal administrative behavior. To ensure continued remote access, the attackers configured Cloudflare tunnels, which allowed them to route traffic through a trusted third-party service and bypass conventional network monitoring. They also used Zoho Assist and SSH connections established through Visual Studio Code, creating multiple redundant access channels.
Privilege escalation followed shortly after, with new local and domain administrator accounts created to lock in long-term control. A vulnerable driver was also exploited to tamper with system memory and disable security protections, further reducing the attackers' visibility to defense tools running within the compromised environment.
A second, unrelated threat actor was also found operating within the same environment at the same time. That group relied on malicious DLL sideloading and custom backdoors, techniques entirely distinct from Storm-2603's methods. The presence of two overlapping attack campaigns significantly complicated attribution and made the full scope of the intrusion far harder to detect or contain.
Microsoft said in a report shared with Cyber Security News that DART contained the intrusion by activating a structured response playbook, correlating telemetry across all affected systems, and conducting daily briefings with the organization to ensure timely and aligned containment actions throughout the investigation.
The findings highlight how far threat actors are willing to go to maintain their foothold inside a network. When two separate groups are working within the same environment simultaneously, signals become mixed, attribution becomes harder, and traditional detection methods begin to fall short. Microsoft's response team emphasized that organizations should prioritize patching internet-facing systems, strengthen identity security, deploy endpoint protection widely, retain telemetry centrally, and keep incident response playbooks tested and ready to activate quickly.