Jul 22, 2025

SharePoint May Be Sharing Too Much

abstract polygonal hacker with laptop on technology dark background

Why It’s Time to Get Serious About AI-Driven Pre-Zero Day Detection

Another day, another breach. This one is targeting the core collaboration engine of thousands of enterprises: Microsoft SharePoint. Today, CISA confirmed active exploitation of a new remote code execution (RCE) vulnerability (CVE-2025-53770, a variant of CVE-2025-49706), which is reportedly allowing unauthenticated attackers execute code, steal internal configurations, and access full SharePoint content. The attack, publicly being tracked under the name “ToolShell,” is already in the wild, with IPs tied to known malicious infrastructure. This is real-time, unauthenticated, remote exploitation, already being leveraged by threat actors.

Pre-Zero Day Threats Are The New Normal

We’re not just dealing with zero-days; we’re facing pre-zero-day attacks that are formulated, rehearsed, and deployed before traditional security tools even know what hit them. ToolShell is the perfect case study. As a mutation of a known vulnerability, it bypasses standard detection layers and leverages legitimate SharePoint components like ToolPane.aspx to stay under the radar. It grants access to everything from configurations to collaboration content, often the lifeblood of an organization. It is a surgical, strategic exploitation. And it underscores the urgent need to shift our defenses left, detecting attacks during their formulation, not after the breach.

AI-Based Pre-Zero Day Detection & What That Actually Means

This isn’t about slapping “AI” on your antivirus solution. Pre-zero day detection involves leveraging artificial intelligence to analyze behaviors, discussions, and activities, to identify threats while in the formulation stage, before it is launched.

Here’s how this might manifest in this latest case:

  • Behavioral Baselines – AI monitors assets, devices and the systems that operate on them such as SharePoint and other systems, for deviations from known-good behavior (e.g., unexpected access to ToolPane.aspx from non-privileged IPs).
  • Anomaly Clustering – Threats like ToolShell often start as small probes. AI groups and escalates these patterns before they evolve into full-blown intrusions.
  • Attack Path Mapping – AI can simulate likely lateral movement or privilege escalation paths before an attacker can exploit them.
  • Threat Formulation Detection – AI can correlate signals across seemingly unrelated telemetry using collaborative security that involves the entire tech stack. This broader, non- siloed approach can spot threat actors discussing or staging an attack, even before code is executed.

What Should Organizations Do Now?

If you run SharePoint on-premises, especially if it’s exposed to the public internet, you are at risk. Here’s some steps you should consider taking:

1. Triage and Contain

  • Enable AMSI integration with Defender AV on all SharePoint servers.
  • If AMSI cannot be deployed, disconnect the system from internet-facing access immediately.
  • Scan for suspicious POST requests to /_layouts/15/ToolPane.aspx?DisplayMode=Edit.

2. Implement Pre-Zero Day Capabilities

  • Evaluate and implement an AI-based detection platform that provides behavioral analytics, lateral movement detection, and attack staging insights.
  • Look for tools that integrate across your SIEM, SOAR, and EDR ecosystem, AI needs visibility to be effective.

3. Harden and Monitor

  • Audit user roles, implement zero trust to minimize layout and admin permissions.
  • Monitor or block known malicious IPs: 107.191.58.76, 104.238.159.149, 96.9.125.147.
  • Deploy updated WAF/IPS rules to flag and block related exploit patterns.
  • Enable deep logging and forward telemetry to your threat detection and response platform for continuous analysis.

After The Attack – What Needs To Happen Next

Just as ransomware turned endpoint security into a board-level concern, ToolShell should be the wake-up call for a look in the proverbial mirror and audit whether your cyberexposure management and security solution is fit for purpose.

SharePoint is the latest, but not only example,  where critical workflows, sensitive files, and operational logic live. You can’t patch faster than an attacker can mutate. But you can detect intent before it becomes a breach. The future of cyber defense is predictive and should be ‘left-of-boom’. AI-based, pre-zero day threat detection is no longer a POC technology, it is core to cyber exposure management and to organizational resilience.

Get Updates

Sign up to receive the latest from Armis.