Why This Warning Matters
If your business still relies on on-premises Microsoft Exchange or SharePoint servers, pay attention—cybercriminals are aggressively exploiting critical vulnerabilities to hijack corporate networks. Microsoft has issued urgent warnings after detecting a surge in attacks that allow hackers to:
- Execute remote code (taking full control of servers)
- Move laterally across networks (accessing sensitive data)
- Steal credentials via NTLM relay attacks
- Hide malicious activity by tampering with legitimate files
These aren’t just theoretical risks. Real-world attacks have already led to data breaches, ransomware infections, and prolonged unauthorized access. The worst part? Many businesses don’t realize they’ve been compromised until it’s too late.
How Hackers Are Breaking Into Exchange and SharePoint Servers
1. NTLM Relay Attacks: The Silent Credential Thief
One of the biggest threats right now is NTLM relay attacks, where attackers intercept and abuse NTLM authentication hashes (used in Windows networks). Here’s how it works:
- Hackers trick servers into sending NTLM authentication requests to a malicious server.
- They capture these hashes and relay them to gain access to privileged accounts (like Domain Admins).
- Once inside, they escalate privileges, deploy malware, or steal data.
Microsoft has noted a sharp rise in these attacks, especially against unpatched Exchange Servers.
2. SharePoint Attacks: Malware Hidden in Plain Sight
SharePoint servers are also under fire, but hackers are getting sneakier. Instead of obvious malware, they:
- Modify legitimate files (like .aspx pages) to hide backdoors.
- Install remote monitoring tools (like Cobalt Strike) to maintain long-term access.
- Use fileless attacks to evade traditional antivirus scans.
Since SharePoint often stores confidential documents and internal communications, a breach here can be catastrophic.
Microsoft’s New Defense: AMSI Integration
To combat these threats, Microsoft has integrated the Windows Antimalware Scan Interface (AMSI) into Exchange and SharePoint. Here’s why this matters:
- AMSI scans incoming HTTP requests before they reach the server, blocking malicious scripts and payloads.
- It works with existing security tools (like Windows Defender) to improve detection.
- Helps stop fileless attacks, PowerShell exploits, and malicious macros.
But AMSI alone isn’t enoughbusinesses must take additional steps to lock down their servers.
How to Protect Your Servers Right Now
Microsoft’s advisory includes urgent recommendations for businesses:
1. Patch Immediately
- Apply the latest security updates for Exchange Server and SharePoint.
- Many attacks exploit known vulnerabilities that have patches available.
2. Enable AMSI Protection
- Ensure AMSI is enabled and properly configured in Exchange and SharePoint.
- Verify that your antivirus supports AMSI scanning.
3. Audit and Harden NTLM Authentication
- Disable NTLM where possible (use Kerberos instead).
- If NTLM is necessary, enforce SMB signing and restrict NTLM relay risks.
4. Monitor for Suspicious Activity
- Look for unusual logins, unexpected file changes, or strange PowerShell commands.
- Use SIEM tools (like Microsoft Sentinel) to detect attacks early.
Final Thoughts: Don’t Wait Until It’s Too Late
Cybercriminals are actively hunting unpatched servers, and the consequences of a breach can be devastating data theft, ransomware, regulatory fines, and reputational damage.
If you manage Exchange or SharePoint on-premises, act now:
Patch your servers
Enable AMSI
Lock down NTLM
Monitor for threats
The longer you wait, the higher the risk.
Discover more from CyberAwareHub
Subscribe to get the latest posts sent to your email.