THE report from Microsoft's Detection and Response Team (DART) details a complex cyberattack involving a multi-stage intrusion by two parallel threat actors. Initially, a ransomware investigation revealed that the first actor, known as Storm-2603, had exploited vulnerabilities in on-premises SharePoint servers while using advanced tactics for persistence and control, including legitimate tools like Velociraptor for covert mapping of the environment.
Concurrently, a second unrelated threat actor utilized techniques such as DLL sideloading, further complicating the detection process. To respond, DART implemented a structured incident response, correlating telemetry to identify and limit the threat actors' activities while providing guidance to improve overall security posture. Key recommendations for organizations include ensuring continuous visibility, monitoring trusted tools, and maintaining a rapid incident response capability.