SharePoint Attacks Should Lead Companies To ‘Rethink’ Risk Of On-Prem Vs. Cloud: Expert

While organizations may have a variety of reasons for sticking with on-premises Microsoft SharePoint servers, widespread attacks targeting the servers are grounds to ‘re-do their risk calculus,’ former FBI cybersecurity leader Cynthia Kaiser tells CRN.

While organizations may have a variety of reasons for sticking with on-premises Microsoft SharePoint servers, widespread attacks targeting the servers are grounds to “re-do their risk calculus” and explore potential cloud-based options, a former FBI cybersecurity leader told CRN.

A wave of cyberattacks over the past week have compromised hundreds of on-premises SharePoint Server customers through exploiting newly discovered vulnerabilities in the systems, according to researchers. The attacks have reportedly impacted multiple U.S. government agencies, with the federal National Nuclear Security Administration confirmed to be among the victims.

Threat researchers at Google Cloud and Microsoft have linked at least some of the attacks to China-based threat actors, including groups focused on intellectual property theft, espionage and ransomware.

On the other hand, the flaws do not impact SharePoint Online in Microsoft 365.

All in the all, the widely felt incident should prompt some on-prem SharePoint customers to newly consider a move to the cloud, according to Cynthia Kaiser, formerly deputy assistant director for the FBI Cyber Division and now senior vice president at anti-ransomware startup Halcyon.

“I hope that it pushes people who don’t need to be on-prem to seriously consider those costs and benefits — and maybe just rethink that risk calculus,” she said.

Researchers at Check Point said Thursday they have observed more than 4,600 attempted compromises against on-premises SharePoint customers, with a third of the targeted organizations in the U.S. and 9 percent in Canada. About half of the targeted organizations are in the government sector while a fourth are software companies and 9 percent are in the telecommunications industry, according to Check Point data.

Many government agencies and companies continue to use on-premises SharePoint Servers either out of necessity or perhaps without even realizing it, experts have told CRN.

For instance, some companies involved in critical infrastructure may be unable to use a cloud version of SharePoint out of concerns such as the risk of downtime, according to Trey Ford, CISO for the Americas at crowdsourced cybersecurity platform Bugcrowd.

“The idea of their services going offline does not work,” Ford said.

In other cases, a company may simply lack visibility into legacy SharePoint servers, said Nick Hyatt, senior threat intelligence analyst at Herndon, Va.-based GuidePoint Security, No. 37 on CRN’s Solution Provider 500 for 2025.

“Maybe there’s an on-prem SharePoint Server that nobody uses anymore, but it perhaps got exposed to the internet, and you haven’t done an audit of your external-facing systems,” he said. As a result, “nobody knows about it.”

‘End of Support’

Microsoft has released all patches for on-premises SharePoint servers to protect against the “ToolShell” attacks, with fixes released for SharePoint Server 2016 and 2019 as well as SharePoint Server Subscription Edition.

In the case of SharePoint Server 2016 and 2019, Microsoft has said the systems will reach “End of Support” in just under a year from now, on July 14, 2026. That means that, at least for customers of those two editions of SharePoint Server, the pressure is already on to move to the cloud — and the risks associated with remaining on-prem will likely only intensify going forward.

“Upon retirement or end of support, there will be no new security updates, non-security updates, free or paid assisted support options or online technical content updates,” Microsoft said in a post listing the “End of Support” schedule.

Meanwhile, two older versions of the systems that previously reached end-of-support — SharePoint Server 2010 and 2013 — are also impacted by the zero-day vulnerabilities, Microsoft noted in its customer guidance advisory.

SharePoint Server 2010 and 2013 “will remain vulnerable with no patch expected and therefore must be isolated or decommissioned,” researchers at cybersecurity vendor Eye Security wrote in a post.

Continued Risk

For SharePoint servers that have already been compromised in the recent wave of attacks, threat actors will seek to continue exploiting the systems for months to come unless they are prevented from doing so, researchers have told CRN.

This is because patching is not sufficient to evict the threats, with rotation of machine keys being another essential step to ensure attackers no longer have access to systems, the experts said.

“Patches alone won’t keep you secure if actors already got in,” Halcyon’s Kaiser said. “Companies that are affected by this need to have an extra measure of diligence and detection that they [haven’t had] for other types of vulnerabilities.”