This post has been republished via RSS; it originally appeared at: Microsoft Security Blog.
In the latest edition of our Cyberattack Series, we dive into real-world cases targeting retail organizations. With 60% of retail companies reporting operational disruptions from cyberattacks and 43% experiencing security compromises in the past year, the risks for businesses continue to increase.1 This post unpacks where a single alert led to the discovery of a major persistent cyberthreat, how cyberattackers exploited unpatched SharePoint vulnerabilities and compromised identities to infiltrate networks—and how Microsoft Incident Response–the Detection and Response Team (DART) swiftly stepped in with forensic insights and actionable guidance. Download the full report to learn more about how one small signal exposed a much larger danger, and how you can strengthen your defenses against similar cyberthreats.
What happened?
The cases we’re examining in detail spanned two parts—Reactive 1 and Reactive 2. Reactive 1 began when a retail customer received a Microsoft Defender Experts alert titled “Possible web shell installation.” The Investigation revealed a malicious ASPX file on their SharePoint server, linked to vulnerabilities CVE-2025-49706 and CVE-2025-49704. These allowed cyberattackers to spoof identities and inject remote code.
Reactive 2 started with a single compromised identity. Cyberattackers gained persistence by abusing self-service password reset features and mapped the organization’s identity structure using Microsoft Entra ID and Microsoft Graph API. The issue escalated access using Azure Virtual Desktop and Remote Desktop Protocol (RDP), deployed tools like PsExec and SQL Server Management Studio, and maintained control using Teleport, Azure CLI, and Rsocx proxy. Credential manipulation and directory exploration followed, confirmed by Entra ID risk events. The Detection and Response Team (DART) again provided expert support to contain and analyze the threat.
In both cases, the customer engaged DART quickly, which helped validate the scope of the compromise and assess cyberattacker activity and persistence mechanisms.
Insight: Identity management weakness
Lack of account separation between standard users and privileged users significantly increased the risk of lateral movement. Nine out of 20 accounts had elevated access without proper tiering.
How did Microsoft respond?
DART swiftly addressed the two security incidents by executing a comprehensive set of actions aimed at restoring control, containing cyberthreats, and reinforcing long-term resilience. The team began by reclaiming identity systems—both on-premises and cloud—through Active Directory takeback and Entra ID isolation. It neutralized threat actor access by deprivileging compromised accounts, revoking tokens, and identifying persistence mechanisms like Teleport and multifactor authentication (MFA) device registration. Malicious web shells were detected and removed within hours, showcasing rapid containment capabilities.
To investigate and remediate the incidents, Microsoft deployed proprietary forensic tools across critical infrastructure, enabling root cause analysis and operational recovery. The team also guided the affected organization through security configuration enhancements aligned with Zero Trust principles, including MFA enforcement. Threat intelligence from Defender and Microsoft Sentinel confirmed systemic identity compromise, prompting patching of vulnerable systems and a phased mass password reset with user identity re-attestation. Additionally, reverse engineering of ransomware revealed targeted attacks on ESXi directories, informing further mitigation strategies.
New cyberattacker behavior
The cyberattacker used custom obfuscated web shells that bypassed basic detection, reinforcing the importance of behavioral analytics to detect rapidly evolving tactics.
What can customers do to prepare?
In the case of Reactive 1, we recommended critical security actions to fortify on-premises SharePoint environments and minimize exposure to known vulnerabilities, something we recommend for all customers. Customers can reduce their risk by deploying endpoint detection and response (EDR) across all devices, conducting regular vulnerability scans, and strengthening identity and access controls. Centralized logging and threat intelligence should also be implemented, along with preserving evidence and maintaining a robust incident response plan. Tools to monitor behavioral anomalies, suspicious processes, and malware indicators are increasingly necessary to protect against today’s threat actors.
Patching promptly—especially for known exploited vulnerabilities—remains a key defense for customers. Regular security hygiene practices—like enforcing MFA across all accounts, removing inactive credentials, and applying least privileged access principles—can improve defenses in real time as threats change fast.
The increasing speed of cyberattacks
The speed of the attacker was notable. We observed “hands-on keyboard” behavior within moments of compromise, highlighting the importance of real-time detection and response.
Secure your spot
Ready to strengthen your security strategy for the AI era? Register now for Microsoft Secure, on September 30, to explore the latest AI-first solutions. Then, join us at Microsoft Ignite—November 17–21 in San Francisco, CA or online—to deep dive into more innovations, connect with industry experts, experience hands-on labs, and earn certifications.
What is the Cyberattack Series?
With our Cyberattack Series, customers discover how DART investigates unique and notable cyberattacks. For each cyberattack story, we share:
- How the cyberattack happened
- How the security compromise was discovered
- Microsoft’s investigation and eviction of the threat actor
- Strategies to avoid similar cyberattacks
While retail customers were the target of cyberattackers this time, these incidents serve as a stark reminder that proactive patching, identity segmentation, and continuous monitoring are essential security practices to defend against modern cyber threats for all customers. DART is made up of highly skilled investigators, researchers, engineers, and analysts who specialize in handling global security incidents. We’re here for customers with dedicated experts to work with you before, during, and after a cybersecurity incident.
Learn more with Microsoft Security
To learn more about DART capabilities, please visit our website, or reach out to your Microsoft account manager or premier support contact. To learn more about the cybersecurity incidents described above, including more insights and information on how to protect your own organization, download the full report.
To learn more about Microsoft Security solutions, visit our website. Bookmark the Security blog to keep up with our expert coverage on security matters. Also, follow us on LinkedIn (Microsoft Security) and X (@MSFTSecurity) for the latest news and updates on cybersecurity.
1Retail Cybersecurity Statistics: Market Data Report 2025
The post Retail at risk: How one alert uncovered a persistent cyberthreat appeared first on Microsoft Security Blog.