Microsoft’s latest incident write-up shows that a single intrusion can mask two parallel threat activity streams, one tied to Storm-2603 and another to an unknown actor, making the attack far more complex than a conventional ransomware case.
The incident began with activity against on-premises SharePoint servers and an attempt to establish internal footholds through exposed weaknesses, including references to CVE-2025-49706 and CVE-2025-49704, and probing that suggested reconnaissance of local file inclusion paths.
Microsoft also identified a separate initial-access path involving CVE-2025-11371, followed by deeper post-compromise actions that looked designed for persistence, control, and long-term presence inside the network.
What makes this case stand out is the tradecraft mix. The threat actor set up multiple remote-access channels by using Velociraptor, Cloudflare tunneling, Zoho Assist, and Visual Studio Code access remote SSH, while also creating privileged accounts and loading a vulnerable driver to weaken endpoint defenses.
In parallel, investigators saw malicious DLL sideloading and custom backdoors that did not fit Storm-2603’s known behavior, pointing to a second operator working in the same environment.
This is an important reminder that ransomware-style intrusions are often only the visible layer of a broader compromise. Microsoft’s DART team concluded that identity, endpoint, and cloud telemetry had to be correlated together to reveal the true scope of the attack, because isolated alerts did not show the full picture.
According to Microsoft, revealed a multi-stage intrusion that blended known ransomware tactics with quieter, more deliberate techniques designed to establish deep and lasting access.
Microsoft Uncovers Parallel Threat Activity
The operational risk is significant because parallel adversaries can split defensive attention, create false attribution, and accelerate dwell time.
The report also shows how living-off-the-land techniques, trusted admin tools, and remote management software can be used to blend into normal enterprise activity while attackers expand access.
Microsoft’s recommended response is straightforward: patch exposed systems quickly, especially internet-facing platforms such as SharePoint, and treat privileged identity as a primary attack surface.
The company also emphasizes broad endpoint protection, centralized telemetry retention, and active monitoring of tunneling tools, remote access software, and developer utilities that are increasingly abused for persistence and lateral movement.
The most practical lesson is that incident response must be built for overlap, not simplicity. When multiple attackers share an environment, security teams need continuous visibility, strong identity controls, and tested containment playbooks that can isolate compromised accounts, devices, and access paths without delay.
This incident fits a broader pattern in Microsoft’s cyber reporting: attackers are increasingly combining legitimate tools, stealthy persistence, and kernel-level defense evasion to stay inside environments longer.
It also reinforces why defenders should watch for unusual combinations of remote admin tooling, unsigned binaries, and privilege escalation activity, even when no single alert looks severe on its own.
The full report is part of Microsoft’s Cyberattack Series and can be used as a reference point for teams reviewing exposure on SharePoint, identity hygiene, and endpoint telemetry depth.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
