DFIR field guide: Investigating ToolShell-driven SharePoint intrusions (Talos IR Q3 2025)
Cisco Talos IR’s Q3 2025 report highlights a sharp rise in compromises that began with exploitation of on-premises Microsoft SharePoint via the ToolShell chain. More than 60% of Talos engagements involved exploitation of public-facing apps, and almost 40% showed ToolShell activity; ransomware dropped to ~20% of cases while post-exploitation phishing from compromised accounts continued to climb (Talos IR Q3 2025). Microsoft confirms active, multi-actor abuse of new SharePoint bugs (CVE-2025-53770, CVE-2025-53771) related to earlier July CVEs (CVE-2025-49704, CVE-2025-49706), and stresses that only on-prem servers are affected-not SharePoint Online (Microsoft Security TI, MSRC customer guidance). CISA added CVE-2025-53770 to the KEV catalog, underscoring exploitation in the wild (CISA KEV entry).