SharePoint Security Best Practices - Protect Your On-Prem Servers from Ransomware

A recent zero-day attack by Chinese state-affiliated groups highlights the need to fortify your on-premises Microsoft SharePoint environments. Unlike the cloud-based SharePoint Online software platform, in which Microsoft applies constant enterprise-grade cybersecurity, on-premises SharePoint servers rely on IT managers to patch, monitor, maintain, upgrade, and troubleshoot themselves. Let’s examine the 'Typhoon' attack by examining the timeline, how Microsoft responded, and what steps organizations should take to protect their on-premises SharePoint servers from these kinds of threats.

Zero-Day Attack

Back in July 2025, a major cyberattack hit on-prem Microsoft SharePoint setups, taking advantage of two zero-day vulnerabilities. The culprits, state-backed groups from China, used the flaws to break into hundreds of organizations around the world. Once inside, they took control of SharePoint servers, planted web shells, and stole cryptographic keys to keep access open. In at least one case, things escalated to a ransomware attack. Microsoft jumped in with emergency patches and, together with CISA, issued urgent warnings that any unpatched systems were still at serious risk.

Attack Timeline

• Early July 2025: Reconnaissance and Initial Exploits. Chinese state-affiliated groups began scanning for SharePoint weaknesses and even attempted to exploit earlier vulnerabilities.
• July 18-19, 2025: New Zero‑Days Unleashed. A surge of attacks identified two new SharePoint zero-day flaws. Unauthenticated attackers used these to gain control of on-prem SharePoint servers, dropping web shells and stealing data (including SharePoint machine keys) from numerous organizations.
• July 20, 2025: Emergency Alerts Issued. Seeing how serious the threat was, CISA (the U.S. Cybersecurity and Infrastructure Security Agency) put out a rare weekend alert. They flagged the SharePoint vulnerabilities in their Known Exploited Vulnerabilities catalog and urged system owners to act fast before things got worse.
• July 21, 2025: Microsoft Releases Patches. Microsoft’s engineers moved fast to tackle the new SharePoint vulnerabilities. By Monday, July 21, they had emergency patches ready for all supported versions: 2016, 2019, and the Subscription Edition. Organizations were strongly urged to install the updates right away to avoid getting caught in the crossfire.
• July 22, 2025: Threat Intelligence Update Microsoft Threat Intelligence published a detailed blog on the ongoing exploits. They confirmed multiple China-linked actors (Linen Typhoon, Violet Typhoon) and others were actively attacking unpatched servers. One group (Storm-2603) even used the exploits to deploy Warlock ransomware in victim environments. Microsoft warned that “threat actors will continue to integrate [these exploits] into their attacks against unpatched on-premises SharePoint systems.”

Lessons Learned

The quick timeline above shows how swiftly the situation unfolded – and how critical prompt response was. These SharePoint flaws breached Dozens of organizations within a matter of days. The fact that nation-state actors and cybercriminal groups jumped on the exploit highlights a broad, opportunistic threat. Organizations that patched immediately on July 21 effectively shut down the attack vector, while those that lagged remained at risk. Unlike Microsoft’s cloud-based SharePoint Online, On-premises SharePoint servers rely on administrators to secure and update them. The July 2025 attack spree highlights that defensive best practices are essential to protect on-prem SharePoint. Below we outline practical steps IT administrators should take; drawn from Microsoft’s guidance during the incident to harden SharePoint environments against such exploits.

Best Practices for Securing On-Premises SharePoint

To safeguard on-premises SharePoint, administrators should adopt a multi-faceted approach that addresses software vulnerabilities, configuration hardening, and active monitoring to safeguard on-premises SharePoint. Below are the key steps and best practices to protect your SharePoint environment:

Keep SharePoint Updated (Use Supported Versions and Patch Promptly)

To keep on-prem SharePoint environments safe, it’s crucial to stick with the most recent supported versions like 2016, 2019, or the Subscription Edition; and install security patches as soon as they’re released. Microsoft confirmed that the July 2025 updates fix the recent zero-day flaws, but a lot of systems were still hit because patches weren’t applied quickly enough. Older versions like SharePoint 2010 and 2013 are well past their end of service date and didn’t get updates and are still wide open to attacks. Since hackers tend to go after unpatched servers fast, staying up to date is your best defense. If patching right away isn’t possible due to internal processes, temporarily disconnecting the server from the internet can help reduce the risk. SharePoint Online wasn’t affected, since Microsoft handles updates automatically in the cloud.

Official Sharepoint Updates page https://learn.microsoft.com/en-us/officeupdates/sharepoint-updates

Enable AMSI and Antivirus on SharePoint Servers

One of the simplest ways to strengthen your SharePoint server’s security is by enabling AMSI (Antimalware Scan Interface) and ensuring antivirus protection is active. AMSI detects malicious scripts before they cause harm, while antivirus software provides an extra layer of security by scanning for known threats. It’s a straightforward step that can have a significant impact, especially as attackers constantly seek vulnerabilities in unpatched or poorly protected systems. If you’re running SharePoint on-premises, this should be part of your basic security checklist.

Read more on AMSI https://www.microsoft.com/en-us/security/blog/2025/04/09/stopping-attacks-against-on-premises-exchange-server-and-sharepoint-server-with-amsi/

Use EDR Solutions and Monitor for Intrusions

Even with antivirus in place, monitoring SharePoint servers for compromise is essential. Microsoft recommends using Endpoint Detection and Response (EDR) tools like Defender for Endpoint to detect post-exploitation activity that antivirus software may miss, such as privilege escalation, persistence mechanisms, or web shell uploads like spinstall0.aspx. Admins should regularly inspect logs and file systems for anomalies, including unexpected files or unusual account behavior. Effective monitoring can enable early detection and containment, preventing attackers from escalating to data theft or ransomware.

More on EDR https://www.microsoft.com/en-us/security/business/security-101/what-is-edr-endpoint-detection-response

Rotate Machine Keys

After patching systems and removing malware, organizations must invalidate any stolen credentials, particularly the ASP.NET MachineKeys used by SharePoint for authentication and encryption. Even after the vulnerabilities are patched, attackers who got hold of machine keys can still sneak back in by forging tokens. That’s why Microsoft pushed for everyone to rotate those keys, either through PowerShell or Central Admin, and then do an IIS reset on all servers. It might sound like a hassle, but it’s a crucial step to shut down any lingering backdoors and make sure stolen keys can’t be used again.

While addressing keys, also review administrative accounts and credentials:

• If any SharePoint admin passwords or service account credentials might have been compromised during the incident, change them.
• Ensure service accounts follow the principle of least privilege.
• Consider enabling multi-factor authentication for remote admin access if feasible.

Harden Access Post-Patch

Finally, take this opportunity to implement other security hardening measures in your SharePoint environment. For example, ensure regular backups of SharePoint content and configurations are in place (and stored offline) so you can recover in case of destructive actions like ransomware. Also, evaluate network segmentation (can your SharePoint server communicate freely with domain controllers or the Internet, or is it restricted?) because limiting a breach to one server can prevent network-wide fallout.

Conclusion

Operating SharePoint on-premises offers control but places full responsibility for security on the organization. The July 2025 zero-day vulnerabilities revealed how quickly attackers can exploit unpatched systems, leading to severe consequences like data theft and ransomware. To defend against such threats, IT teams must follow best practices, keeping systems updated, enabling AMSI and antivirus protections, monitoring activity closely, and securing keys and credentials. These steps, endorsed by Microsoft’s security teams, have effectively mitigated recent attacks.

Ultimately, proactive and vigilant security is essential. Threat actors are scanning SharePoint environments for weaknesses, and more will follow. While on-premises SharePoint can be secured, it demands timely action and layered defenses. Investing in these measures is critical to safeguarding collaboration platforms and sensitive data because, as this incident demonstrated, the cost of complacency can be far greater.

In summary, securing SharePoint is an ongoing process:

• Keep the platform updated and supported.
• Configure built-in security features (like AMSI and access controls) to their fullest.
• Add layers of defense such as endpoint protection, network segmentation, and strict monitoring.
• Be ready to respond to threats at a moment’s notice.

By sticking to these best practices, you’re giving your SharePoint sites a much better shot at staying secure and online. The recent zero-day mess showed just how costly it can be to let things slide. A solid, proactive defense really is your best bet. So stay sharp, keep your systems updated, and don’t give attackers an easy way in.

References