Microsoft probes rare dual-operator ransomware hit tied to SharePoint

Modern intrusions can overlap and demand coordinated detection and response

June 25, 2026

Storm‑2603 has targeted on‑premises SharePoint servers since mid‑2025 by exploiting known vulnerabilities.
The second actor left indicators of Dynamic Link Library sideloading—tactics often used to masquerade as trusted software, execute payloads, establish backdoors, and maintain persistence.

Microsoft’s Incident Response team uncovered a ransomware case in which two unrelated threat actors operated simultaneously inside victim environments, underscoring how modern intrusions can overlap and demand coordinated detection and response, the company said in a new DART report.

Investigators traced the activity to on‑premises SharePoint servers targeted via publicly disclosed vulnerabilities. The intrusion blended classic ransomware techniques with additional tradecraft designed to gain deep, persistent access across identities, endpoints, and cloud resources.

After initial findings indicated lateral movement into a second organization, Microsoft notified the entity, which confirmed compromise by the same ransomware activity attributed to Storm‑2603. A joint review with Microsoft Threat Intelligence then revealed a second, separate threat actor acting in parallel.

“Two distinct threat activity streams were operating in parallel, rather than sequentially,” Microsoft’s researchers said, noting that only by correlating identity, endpoint, and cloud telemetry did the full scope become clear.

According to Microsoft, Storm‑2603 has targeted on‑premises SharePoint servers since mid‑2025 by exploiting known vulnerabilities. The second actor left indicators of Dynamic Link Library (DLL) sideloading—tactics often used to masquerade as trusted software, execute payloads, establish backdoors, and maintain persistence.

Advertisment

The report did not detail financial losses.

Microsoft urged organisations to tighten defenses, including:

Prioritizing rapid patching of internet‑facing systems and known exploitable vulnerabilities
Treating high‑privilege identities as critical attack surfaces
Ensuring endpoint protection is fully deployed before incidents occur
Avoiding gaps from point‑in‑time tool deployment through continuous monitoring

The company framed the case as a warning that overlapping campaigns are becoming more common, requiring integrated visibility and coordinated response across the enterprise.

Discover more from TechChannel News

Subscribe to get the latest posts sent to your email.

Space42 activates three new SAR satellites

Hub71 startups top $2.7b funding, generates $1.5b revenue

Middle East lags in 6 GHz Wi‑Fi adoption as GCC leaders pull ahead

Oman Investment Authority invests in Elon Musk’s Neuralink

Razorpay files for IPO; reports peg issue at $500m–$700m

BitGo prices IPO above range, raises $212.8m in 2026’s first crypto listing

Onton raises $7.5m to streamline online shopping with neurosymbolic AI

PhysicsWallah soars 45% on trading debut, valued at $5.1b

Amazon to invest additional $13b in India by 2030