PUBLISHED ON
Dairy Lines Stopped While SharePoint Still Faces the Open Net
On prem SharePoint still takes the hit while Patch Tuesday sets a volume record.
WEEKLY OPENING
This week the enterprise perimeter did not so much fail as file a polite status report that nobody wanted to sign. On premises SharePoint stayed under active exploitation while Microsoft dropped a record scale July Patch Tuesday, and federal hardening guidance turned into a deadline problem for anyone still treating collaboration stacks as “internal enough.” Credential led breaches and short cycle ransomware sat beside supply chain hits on npm and AI adjacent tooling that keeps expanding the attack surface sideways. Microsoft’s July release landed with roughly 569 to 570 vulnerabilities and multiple exploited zero days, forcing defenders to triage SharePoint, BitLocker, Exchange, Hyper V, Active Directory Federation Services, and core Windows components under tight remediation clocks. While teams were still sorting hotfix queues, Coca Cola’s Fairlife dairy business temporarily halted U.S. production after a ransomware incident hit manufacturing systems, a reminder that cyber risk now shows up as empty shelves and paused production lines, not only as ticket queues. A newly documented Spirals ransomware intrusion completed end to end compromise, data theft, and encryption within roughly a day, killing dozens of backup and database services before detonation, proving that speed and backup targeting are now core tradecraft rather than optional flourishes. Policy and strategy work from CISA and lawmakers continues to stress critical infrastructure resilience and emerging AI enabled threats, framing these incidents as part of a sustained elevated pressure baseline rather than a one week spike. If your mental model still assumes “patch when the change board is free,” the week filed a dissenting opinion in public.
EXECUTIVE TAKE
Leadership should treat this week as a prioritization crisis, not a novelty crisis. Microsoft’s July 2026 Patch Tuesday release patched on the order of 569 to 570 CVEs across Windows, SharePoint, Exchange, Hyper V, Active Directory Certificate Services, Active Directory Federation Services, and related products, including exploited vulnerabilities CVE-2026-56155 and CVE-2026-56164 that CISA added to the Known Exploited Vulnerabilities catalog. That combination turns timely patching into a board level risk decision rather than a routine IT chore. CVE-2026-56164 is a SharePoint flaw tied to missing authentication for a critical function and is actively exploited; consulted guidance urges rapid remediation plus interim controls such as AMSI request body scanning in Full mode. CVE-2026-56155 is an Active Directory Federation Services elevation of privilege zero day also under active exploitation, with federal style remediation clocks attached. Shadowserver linked exposure tracking cited nearly 10,000 internet exposed SharePoint servers, with hundreds still unpatched against earlier SharePoint KEVs in the same campaign family. That pattern concentrates business risk in identity, collaboration, and any subsidiary or OT adjacent production environment still reachable from commodity ransomware tradecraft.
A second set of board level exposures arrived in parallel. The ransomware incident at Coca Cola’s Fairlife dairy forced a temporary suspension of U.S. production after attackers accessed production systems, illustrating how operational technology and manufacturing environments remain vulnerable to IT centric ransomware campaigns, with business disruption and supply chain impacts emerging long before full forensic clarity. Attribution and data theft status remained unconfirmed in public filings, but product quality and safety were stated as unaffected while operations were not. Combined with the Spirals intrusion that completed compromise, double extortion, and encryption in under 24 hours, executives should assume that once an attacker lands, business impacting events can unfold faster than most organizations’ current detection and response cycles. Large personal data breaches driven by compromised credentials, including AssuranceAmerica reporting affecting roughly 7 million people with driver’s license and claims data, and ShinyHunters linked extortion reporting around Moody Bible Institute citing exposure affecting more than 2.3 million individuals, add privacy and regulatory pressure on top of operational risk. Latvijas Valsts Meži suffered ransomware after multi year unpatched exposure, with a large internal document leak reported, a textbook unpatched system outcome outside U.S. borders.
Strategic reporting shows ransomware volume holding at an elevated “new normal” rather than declining, with GuidePoint style Q1 2026 victim numbers and active groups roughly flat quarter over quarter and year over year compared with late 2025 spikes. Supply chain pressure rose via Injective Labs malicious npm packages and AsyncAPI package infections delivering credential and crypto theft payloads. JadePuffer research described LLM assisted autonomous ransomware behavior chaining exposed Langflow into database wipe and extortion workflows. China linked UAT-7810 activity expanded ORB style relay infrastructure with LONGLEASH components on compromised network devices. Russian tracked UAT-11795 trojanized WebEx and Zoom installers to deploy Starland RAT for credential and crypto theft. Emerging ransomware brands Spirals and GodDamn illustrated speed and BYOVD style EDR blinding emphases rather than a single monopolistic cartel narrative. Parallel initiatives such as CISA’s strategic plan, critical infrastructure resilience programs including CI Fortify, and proposed legislation such as the Combat Emerging Threats to Critical Infrastructure Act of 2026 to refresh sector specific cybersecurity plans for AI enabled threats, deepfakes, robotics, and quantum risks further confirm that governments expect persistent, sophisticated pressure on essential services. The operational message is consistent: patch velocity on internet facing Microsoft and edge software, credential hygiene, backup isolation, and production continuity planning now outrank net new tool purchases.
KEY FINDINGS
Microsoft July 2026 Patch Tuesday fixed on the order of 569 to 570 CVEs, including dozens of critical vulnerabilities and multiple exploited zero days (CVE-2026-56155, CVE-2026-56164), making Microsoft ecosystems the dominant technical focus for defenders this week.
CVE-2026-56164 (SharePoint) is caused by missing authentication for a critical function, is actively exploited against internet exposed on prem SharePoint Server, sits in the KEV catalog, and carries guidance for rapid patching plus AMSI based inspection as an interim control.
CVE-2026-56155 (Active Directory Federation Services elevation of privilege) is also actively exploited, appears alongside the SharePoint zero day in Microsoft and government advisories, and carries mandated style patch deadlines for federal and adjacent environments.
Related SharePoint pressure includes CVE-2026-32201, CVE-2026-45659, and critical SharePoint remote code execution CVE-2026-58644 fixed in July updates, with earlier KEV entries still relevant to unpatched estates.
Shadowserver linked reporting cited nearly 10,000 internet exposed SharePoint servers, with hundreds still unpatched against earlier SharePoint KEVs in the same campaign family.
CVE-2026-50661 is a publicly disclosed Windows BitLocker security feature bypass offering a physical access path to encrypted data, narrower than mass RCE but relevant for device loss and insider path scenarios.
CVE-2026-57092 is a critical elevation of privilege in Microsoft Windows VMSwitch (CVSS 9.9 class severity in vendor coverage) requiring priority patching in virtualized environments.
CVE-2026-55008 is a critical spoofing issue in Microsoft Exchange Server due to cross site scripting, rated more likely to be exploited and relevant to email infrastructure.
CVE-2026-55040 is a critical security feature bypass in SharePoint due to weak authentication, reinforcing SharePoint as a high risk collaboration surface.
Broader KEV and edge pressure this week also includes CVE-2026-48282 (Adobe ColdFusion path issues), CVE-2026-55255 (Langflow authorization bypass relevant to exposed AI workflow stacks), CVE-2026-53359 “Januscape” (Linux KVM shadow MMU use after free guest to host escape research), CVE-2026-43499 “GhostLock” (long lived Linux privilege escalation and container escape class), and CVE-2026-11405 (Tenda firmware hidden admin backdoor password class exposure across multiple consumer and SOHO models).
Coca Cola / Fairlife ransomware forced a temporary halt to U.S. dairy production after attackers accessed production systems, highlighting ransomware’s direct impact on food and manufacturing supply chains even when product safety is not compromised; attribution and data theft status remained unconfirmed in public filings.
Spirals ransomware completed intrusion, data theft, and encryption in less than 24 hours via IIS web server compromise, an ASP.NET web shell, tunneling tools (chisel, revsocks, cloudflared), Defender definition tampering via MpCmdRun.exe, PsExec fan out, deliberate stopping of 23 backup and database services, and domain wide distribution via SYSVOL, using a Rust based payload with AES-128 per file keys wrapped via attacker controlled ECDH P-256 and intermittent encryption for large files.
GodDamn ransomware reporting emphasized BYOVD style EDR blinding, raising the cost of delayed containment alongside Spirals’ speed narrative.
AssuranceAmerica reported a credential driven breach affecting roughly 7 million people, including driver’s license and claims data.
ShinyHunters linked extortion reporting around Moody Bible Institute cited exposure affecting more than 2.3 million individuals.
Latvijas Valsts Meži suffered ransomware after multi year unpatched exposure, with a large internal document leak reported.
Supply chain pressure rose via Injective Labs malicious npm packages and AsyncAPI package infections delivering credential and crypto theft payloads.
JadePuffer research described LLM assisted autonomous ransomware behavior chaining exposed Langflow into database wipe and extortion workflows.
China linked UAT-7810 expanded ORB style relay infrastructure with LONGLEASH components on compromised network devices.
Russian tracked UAT-11795 trojanized WebEx and Zoom installers to deploy Starland RAT for credential and crypto theft.
Iran linked Cavern Manticore tradecraft against Israeli government and IT targets used modular .NET C2 and abused remote management and update paths.
Ransomware baseline remains steady at an elevated level per GuidePoint style Q1 2026 data, implying a durable business as usual for attackers rather than a temporary spike.
CISA and partners continue emphasizing critical infrastructure resilience via initiatives like CI Fortify (proactive isolation and recovery planning) and emerging legislation that would require updates to sector specific cybersecurity plans across all 16 U.S. critical infrastructure sectors for AI enabled threats, deepfakes, robotics, and quantum risks.
Detection guidance from vendor and CERT style reporting includes Snort rule sets tied to July Patch Tuesday vulnerabilities and specific recommendations for SharePoint AMSI tuning, BitLocker physical access controls, web server exposure auditing, hunting before IIS machine key rotation, reverse proxy exposure control, and Central Administration lockdown.
Parallel vendor pressure beyond Microsoft included BeyondTrust remote access authentication bypasses, Cisco ISE issues, Ubiquiti max severity command injection, Gitea authentication bypass under exploitation reporting, and continued KEV churn around ColdFusion, Langflow, and Joomla builders.
WEEKLY THREAT NARRATIVE
SharePoint Remains the Week’s Gravity Well
Reporting from CISA and Microsoft centered coverage made clear that on premises SharePoint is still a preferred gateway when organizations leave collaboration stacks internet facing. Active exploitation of CVE-2026-32201, CVE-2026-45659, and CVE-2026-56164 aligned with post exploitation themes that matter operationally: authentication bypass, privilege elevation, remote code execution, IIS machine key theft, and persistence for follow on malware. CVE-2026-58644 critical SharePoint remote code execution fixed in July updates was flagged as attractive even where wild exploitation was not yet confirmed in every note. CISA’s hardening package patch verification, AMSI in Full Mode where feasible, hunting before key rotation, reverse proxy exposure control, and Central Administration lockdown reads less like optional hygiene and more like the minimum viable survival kit for farms that cannot immediately disconnect. Nearly 10,000 internet exposed SharePoint servers in exposure tracking, with hundreds still unpatched against earlier KEVs, means the gravity well is not theoretical. If you still treat internet facing collaboration stacks as internal enough, the evidence this week disagrees politely and firmly.
Patch Tuesday Volume Meets Zero Day Reality
Microsoft’s July 2026 release is easy to misread as pure volume theater. Roughly 569 to 570 fixes, dozens of critical RCEs, and identity adjacent zero days in AD FS (CVE-2026-56155) and SharePoint (CVE-2026-56164) mean backlog math will punish slow change windows. Technical coverage highlights critical issues across Windows Secure Kernel, WSUS, Hyper V, VMSwitch (CVE-2026-57092), Exchange (CVE-2026-55008), SharePoint (CVE-2026-55040 and related), and a publicly disclosed BitLocker bypass (CVE-2026-50661) that adds a physical access and endpoint theft angle. Guidance stresses interim measures such as AMSI request body scanning for SharePoint to buy defenders time while patches roll through complex enterprises. Parallel vendor pressure BeyondTrust remote access authentication bypasses, Cisco ISE issues, Ubiquiti max severity command injection, Gitea authentication bypass under exploitation reporting, and continued KEV churn around ColdFusion (CVE-2026-48282), Langflow (CVE-2026-55255), and Joomla builders shows the week was not a single vendor problem. Kernel and container research items such as CVE-2026-53359 (Januscape) and CVE-2026-43499 (GhostLock) plus Tenda firmware backdoor class exposure (CVE-2026-11405) expand the patch surface into cloud multi tenant and SOHO edge estates.
Ransomware Targets Food, Manufacturing, and Recovery Architecture
The Fairlife incident shows how ransomware has moved from abstract IT risk to concrete business disruption, with production suspended at U.S. facilities while Coca Cola investigates and restores systems. Public statements emphasize that product quality and safety were unaffected, but operational downtime, supply chain impacts, and potential data privacy questions remain active concerns for stakeholders. Attribution and data theft status stayed incomplete in public filings, which is cold comfort when the production line is already stopped. This case aligns with broader reporting that ransomware activity has stabilized at a higher baseline, suggesting attacks against manufacturing and food sectors are part of a sustained trend rather than occasional shocks. Latvijas Valsts Meži adds an international unpatched exposure plus document leak example. Critical infrastructure initiatives from CISA and related guidance further underscore that operational environments must plan for isolation, manual fallback, and recovery under active adversary pressure.
Ransomware Tradecraft: Speed, Backups, and EDR Interference
The Spirals ransomware intrusion is a case study in modern tradecraft. Attackers quickly exploited an internet facing IIS web server, deployed an ASP.NET web shell, and used legitimate tunneling tools such as chisel, revsocks, and cloudflared to pivot and hide activity. They tampered with Defender definitions via MpCmdRun.exe (RemoveDefinitions style use), used PsExec to fan out across hosts, and disabled or stopped 23 backup and database services before launching encryption. Domain wide distribution via SYSVOL showed abuse of built in enterprise distribution rather than noisy custom tooling alone. The campaign used a Rust based ransomware payload with AES-128 per file keys wrapped via an attacker controlled ECDH P-256 public key, combined with intermittent encryption for large files to optimize both speed and impact. A ransom note on the C:\ drive and Tor based negotiation portal support classic double extortion. GodDamn style BYOVD EDR blinding reporting raises the same theme from another angle: impair defenses early, then encrypt before the change board meets. If your backups live on the same domain as production, they die with everything else.
Credentials, Extortion Publishing, and Developer Supply Chains
Breach and extortion reporting concentrated on familiar failure modes executed at scale. AssuranceAmerica’s credential driven breach affecting roughly 7 million people, including driver’s license and claims data, and ShinyHunters linked extortion reporting around Moody Bible Institute affecting more than 2.3 million individuals underline credential abuse and bulk PII exposure. On the criminal tooling side, short intrusion to encrypt cycles and BYOVD style EDR interference raise the cost of delayed containment. Separately, npm and SDK compromises (Injective Labs malicious packages, AsyncAPI infections) plus trojanized collaboration clients (UAT-11795 WebEx and Zoom installers delivering Starland RAT) show attackers still prefer trusted update and install paths when developer and help desk trust can be borrowed. Social engineering and vishing adjacent Microsoft 365 and Teams support impersonation themes continued in adjacent reporting, reinforcing identity as the reusable pivot after the first foothold.
Actor Infrastructure and Proxy Utility
ShinyHunters appeared in extortion linked breach publication reporting. China linked UAT-7810 activity centered on ORB relay expansion and LONGLEASH malware on compromised networking gear, a pattern that blurs direct victim impact with downstream proxy utility for other operators. Financially motivated Russian tracked UAT-11795 used trojanized WebEx and Zoom to deliver Starland. Emerging ransomware brands Spirals and GodDamn illustrated speed and EDR evasion emphases rather than a single monopolistic cartel narrative. Research also profiled Iran linked Cavern Manticore tradecraft against Israeli government and IT targets using modular .NET C2 and abused remote management and update paths. Infrastructure themes repeatedly featured exposed edge devices, unpatched CMS and app platforms, developer package registries, and collaboration remote access as cheap durable staging layers.
AI Tooling Leaves the Lab and Enters Operator Workflows
Research and incident notes this week treated AI less as a marketing theme and more as executable infrastructure. JadePuffer’s Langflow to extortion narrative (tied to KEV class CVE-2026-55255 authorization bypass on exposed stacks), Gemini CLI abuse as an operator aid, coding agent prompt injection class risks, and browser extension and agent permission flaws all point to the same defender problem: autonomous or semi autonomous tools inherit the privileges of the environments they touch. That does not prove a single coordinated campaign. It does show reporting concentration around agentic misuse and AI adjacent vulnerability classes that security architecture teams can no longer schedule for next quarter.
Policy and Strategy: Critical Infrastructure and AI Amplified Risk
Beyond technical incidents, governments and agencies are preparing for AI amplified threats and persistent cyber pressure on critical infrastructure. CISA’s FY2024 to 2026 strategic plan and related challenge analyses highlight resource constraints, nation state aggressors, and regulatory balancing as core themes, pushing for more collaborative defenses and risk informed prioritization. Legislation such as the proposed Combat Emerging Threats to Critical Infrastructure Act of 2026 would require updates and recurring reviews of sector specific cybersecurity plans across all 16 U.S. critical infrastructure sectors, explicitly accounting for AI supply chain exposure, deepfakes, robotics, and quantum threats to cryptography. These policy moves align with operational guidance like CI Fortify, which focuses on proactive isolation, backup readiness, and the ability to sustain essential services even during major cyber incidents. Food, manufacturing, and IT services should treat this as a planning signal, not a distant regulatory novelty.
NOTABLE TECHNICAL SIGNALS
Top CVEs
CVE-2026-56164 — Microsoft SharePoint Server elevation of privilege / missing authentication for a critical function; actively exploited; KEV listed; Microsoft and CISA emphasize AMSI Full Mode mitigations alongside patching; elevated priority despite any moderate vendor base ratings because of live exploitation evidence.
CVE-2026-56155 — Active Directory Federation Services elevation of privilege; actively exploited zero day; Microsoft DART discovery context in consulted coverage; federal style remediation deadlines attached.
CVE-2026-32201 / CVE-2026-45659 — SharePoint flaws in the same active exploitation set against internet exposed on prem farms; earlier KEV entries still relevant to unpatched estates.
CVE-2026-58644 — Critical SharePoint remote code execution fixed in July updates; flagged as attractive even where wild exploitation was not yet confirmed in every CISA note.
CVE-2026-55040 — Critical security feature bypass in SharePoint due to weak authentication; rated more likely to be exploited; reinforces SharePoint as a high risk collaboration surface.
CVE-2026-57092 — Critical elevation of privilege in Microsoft Windows VMSwitch; CVSS 9.9 class severity; strong exploitation likelihood in vendor coverage; priority in virtualized environments.
CVE-2026-55008 — Critical spoofing vulnerability in Microsoft Exchange Server due to cross site scripting; rated more likely to be exploited; relevant to email infrastructure.
CVE-2026-50661 — Windows BitLocker security feature bypass; publicly disclosed; physical access path to encrypted data; relevant for device loss and insider path scenarios.
CVE-2026-48282 — Adobe ColdFusion path issues tied to KEV / exploitation reporting in the broader early July cluster still driving patch pressure this week.
CVE-2026-55255 — Langflow authorization bypass on KEV; relevant to JadePuffer style exposed AI workflow stacks.
CVE-2026-53359 (“Januscape”) — Linux KVM shadow MMU use after free enabling guest to host escape research on Intel and AMD; cloud multi tenant relevance; not confirmed as mass wild use in the sampled reporting.
CVE-2026-43499 (“GhostLock”) — Long lived Linux privilege escalation / container escape class with public exploit discussion; patch urgency for kernel estates.
CVE-2026-11405 — Tenda firmware hidden admin backdoor password class exposure across multiple consumer and SOHO models.
Attack Vectors This Week
Exploit driven access against internet facing SharePoint and other edge and application stacks dominated authoritative government and vendor guidance, with multiple exploited CVEs highlighted in Patch Tuesday and KEV updates. Credential theft and abuse powered large breach disclosures (AssuranceAmerica scale PII, ShinyHunters linked extortion publishing). Ransomware remained a primary impact mechanism, including production disruption at Fairlife, fast encrypt cycles at Spirals (sub 24 hour), Latvia forestry disruption, and BYOVD style EDR interference in GodDamn class reporting. Supply chain and trojanized installer paths hit developers and end users through malicious npm packages (Injective Labs, AsyncAPI) and fake or modified collaboration clients (WebEx and Zoom delivering Starland RAT). Social engineering and vishing adjacent Microsoft 365 and Teams support impersonation themes continued in adjacent reporting, reinforcing identity as the reusable pivot after the first foothold. Misconfiguration and long lived unpatched exposure (multi year unpatched Latvia case; thousands of internet exposed SharePoint servers) converted reachability into business disruption. Overall, the week reinforces that exposed services, unpatched enterprise software, insufficient segmentation between IT, OT, and backups, and borrowed trust in developer and help desk channels remain primary paths from internet reachability to operational and privacy impact.
Actor and Infrastructure Patterns
Spirals preferred living off the land and legitimate tooling: IIS web shells, chisel, revsocks, cloudflared, MpCmdRun.exe defense impairment, PsExec lateral movement, SYSVOL domain wide deployment, and deliberate stopping of backup and database services before Rust based encryption with AES-128 and ECDH P-256 key wrap. GodDamn reporting emphasized BYOVD style driver based EDR interference. ShinyHunters appeared in extortion linked breach publication reporting. China linked UAT-7810 centered on ORB relay expansion and LONGLEASH on compromised networking gear, blurring direct victim impact with downstream proxy utility. Russian tracked UAT-11795 used trojanized WebEx and Zoom to deliver Starland RAT for credential and crypto theft. Iran linked Cavern Manticore used modular .NET C2 and abused remote management and update paths against Israeli government and IT targets. Ransomware activity overall remains steady at an elevated baseline, with multiple groups operating in parallel rather than any single actor dominating. Infrastructure targets increasingly include manufacturing and food supply chains (Fairlife), forestry and government adjacent estates (Latvia), education and membership data (Moody Bible Institute reporting), insurance and claims data (AssuranceAmerica), developer ecosystems (npm), and traditional IT services. Exposed edge devices, unpatched CMS and app platforms, developer package registries, and collaboration remote access remain cheap durable staging layers.
MITRE ATT&CK Themes
T1190 Exploit Public Facing Application — Spirals IIS compromise; SharePoint, Langflow, ColdFusion, Gitea, and edge appliance exploitation reporting.
T1078 Valid Accounts — AssuranceAmerica style credential access and identity pivot patterns.
T1133 External Remote Services — VPNs, web services, remote support and PRA, and collaboration remote access abuse themes; exploited SharePoint and IIS environments.
T1566 Phishing — Support impersonation and employment lure campaigns in weekly research notes.
T1195 Supply Chain Compromise — Malicious npm and SDK releases; trojanized WebEx and Zoom installers.
T1068 Exploitation for Privilege Escalation — AD FS and SharePoint EoP zero days; kernel and container escape research (Januscape, GhostLock).
T1562 Impair Defenses — Spirals Defender command line tooling (MpCmdRun.exe RemoveDefinitions) and disabled backup services.
T1562.001 Impair Defenses: Disable or Modify Tools — BYOVD / driver based EDR interference in GodDamn class reporting.
T1021 Remote Services — Post exploitation movement via legitimate remote management tooling and PsExec.
T1021 / Windows Admin Shares patterns — PsExec based lateral movement across dozens of hosts.
T1486 Data Encrypted for Impact — Fairlife, Spirals (Rust AES-128 / ECDH P-256), Latvia forestry, and broader ransomware volume.
T1041 Exfiltration / T1565 Data Manipulation — Double extortion with stolen data threatened for leak and manipulation of service states.
T1003 / T1552 OS Credential Dumping / Unsecured Credentials — Stealer frameworks, machine key theft, wallet seed theft.
T1090 Proxy — ORB / LONGLEASH relay expansion on compromised devices (UAT-7810).
T1059 Command and Scripting Interpreter — Loaders, Node based droppers, and agentic CLI abuse notes.
T1505.003 Server Software Component: Web Shell — ASP.NET web shell on IIS in Spirals; SharePoint ASPX drop patterns in hunt guidance.
Threat Detection
YARA Rule Pseudocode — Rust Based Spirals Ransomware
This pseudocode focuses on Rust ransomware traits combined with ransom note naming and Tor negotiation hints described in Spirals reporting.
YARA Rule Pseudocode — SharePoint Webshell / Suspicious ASPX Drop
SIGMA Rule Pseudocode — Defender and Backup Tampering (Spirals Pattern)
This pattern captures defense impairment and backup service stopping behaviors observed in the Spirals intrusion, while keeping service name examples generic for adaptation.
SIGMA Rule Pseudocode — SharePoint Exploitation Post Access Behaviors
SIEM Query Pseudocode — SharePoint Exploit Hunt (CVE-2026-56164 / CVE-2026-55040)
This SIEM pseudocode prioritizes anomalous SharePoint requests to authentication sensitive paths and endpoints potentially relevant to missing authentication flaws, using client IP reputation to separate administrative from suspicious activity.
SIEM Query Pseudocode — Product Agnostic SharePoint Post Exploitation Chain
DEFENDER PRIORITIES
First priority is internet facing and hybrid Microsoft collaboration and identity. Patch SharePoint to the July 2026 baselines covering CVE-2026-56164, CVE-2026-58644, CVE-2026-55040, and related July SharePoint CVEs. Validate install success on every farm member. Enable AMSI integration in Full Mode with request body scanning where feasible. Hunt for webshells and machine key harvesters before rotating IIS keys. Remove direct internet exposure behind authenticated Layer 7 controls, including SharePoint Central Administration lockdown and reverse proxy exposure control. Federal and regulated peers should treat mid July remediation dates as organizational deadlines even when Binding Operational Directive style language does not formally bind them. Parallel to SharePoint, patch CVE-2026-56155 on Active Directory Federation Services and review privileged federation admin activity for local elevation paths. Enterprises should also review virtualization, Exchange, and hypervisor components for CVE-2026-57092, CVE-2026-55008, and related critical issues, because exploitation there can silently undermine segmentation and email security. Use KEV deadlines and vendor guidance as drivers for change management approvals rather than waiting for the next quarterly window.
Second, compress identity, remote access, and edge risk. Harden and audit internet facing services especially IIS, VPNs, remote access portals, BeyondTrust RS/PRA, Zoom desktop and SDK paths, Cisco ISE where applicable, and collaboration remote access. Detect web shells, unexpected binaries in web directories, and tunneling tools such as chisel, revsocks, and cloudflared that may indicate actor presence. Monitoring for anomalous Defender command line usage (MpCmdRun.exe with RemoveDefinitions or other atypical parameters) and bursts of PsExec activity across many hosts can provide early signals of Spirals style lateral movement and defense impairment. Lock down external Teams and tenant cold call paths that support impersonation and vishing adjacent pivots. Revoke and reissue high risk credentials after any confirmed help desk or stealer intrusion, and enforce phishing resistant MFA for admins and remote support roles. Patch publicly disclosed BitLocker bypass CVE-2026-50661 context into device loss and physical access controls, not only into mass RCE queues.
Third, assume ransomware operators will keep preferring unpatched edge apps, stolen credentials, backup service termination, and EDR interference. Review backup architectures so critical backups are logically and technically isolated from production domains, using separate identity planes, immutability, or offline media so actors cannot simply stop backup services and encrypt repositories along with primary systems. The Spirals pattern of stopping 23 backup and database services and abusing SYSVOL for domain wide deployment is the design failure mode to test against. Exercise production continuity for manufacturing and food and beverage style OT adjacent IT. Verify offline recovery for crown jewel file systems within two weeks. Critical infrastructure and manufacturing organizations should align incident response planning with initiatives like CI Fortify, focusing on isolation plans, manual fallback procedures, and continuity of essential services under cyber duress. Update runbooks for double extortion, Tor based negotiation portals, and data leak threats so legal, communications, and leadership roles are defined and rehearsed before the ransom note appears on C:.
Fourth, put developer supply chain and AI agent tooling under the same privileged access governance as admin workstations. Pin packages, monitor npm publish anomalies, restrict agent permissions, and treat exposed Langflow and automation UIs as public facing applications subject to the same exploit driven access model as SharePoint. Inventory and isolate internet exposed Langflow (CVE-2026-55255), ColdFusion (CVE-2026-48282), Gitea, and SOHO router management interfaces (CVE-2026-11405 class). Patch or decommission. Address kernel and container research pressure (CVE-2026-53359 Januscape, CVE-2026-43499 GhostLock) on multi tenant and container estates without over merging research into confirmed mass campaigns. Deploy or update Snort and SIGMA rule sets associated with July Patch Tuesday vulnerabilities and Spirals style defense impairment, verifying sensor coverage on key network segments and high value assets. Conduct a targeted ransomware readiness assessment focused on initial access controls, lateral movement detection, backup integrity, and recovery time objectives, benchmarking against the elevated baseline rather than last year’s spike narrative.
RECOMMENDED ACTIONS
Patch on prem SharePoint Server to Microsoft’s July 2026 updates covering CVE-2026-56164, CVE-2026-58644, CVE-2026-55040, CVE-2026-32201, CVE-2026-45659, and related July SharePoint CVEs; verify installation on every farm member.
Enable and verify AMSI integration for each SharePoint web application in Full Mode with request body scanning where supported; log anomalies to your SIEM for correlation with authentication sensitive endpoints; deploy vendor detections for known post exploitation artifacts.
Hunt then rotate IIS machine keys only after webshell and harvester cleanup; review ULS and IIS logs for anomalous toolpane, layouts, and _vti_bin POSTs before key rotation.
Block direct internet exposure of SharePoint and SharePoint Central Administration; place required access behind Layer 7 authenticated reverse proxies.
Patch Active Directory Federation Services for CVE-2026-56155 and review privileged federation admin activity for local elevation paths.
Apply July 2026 Microsoft patches with highest priority to remaining critical issues including CVE-2026-57092 (VMSwitch), CVE-2026-55008 (Exchange), CVE-2026-50661 (BitLocker bypass context), and other Windows infrastructure CVEs in the release.
Audit all internet facing IIS servers and remote access portals for unexpected ASP.NET files, web shells, and tunneling binaries (chisel, revsocks, cloudflared); remove or quarantine suspicious artifacts and enforce strict patch and configuration baselines.
Implement detection for MpCmdRun.exe executions using RemoveDefinitions or other atypical Defender parameters, and alert on bursts of PsExec activity crossing many hosts in short time windows.
Audit and patch remote access stacks (BeyondTrust RS/PRA, Zoom Windows client and SDK, Cisco ISE where applicable) within the current change window.
Revoke and reissue high risk credentials after any confirmed help desk or stealer intrusion; enforce phishing resistant MFA for admins and remote support roles.
Re architect backups so critical datasets live off domain or in strongly segmented environments with immutability; ensure ransomware cannot stop backup services and encrypt backup repositories along with production assets.
Test isolation and manual fallback procedures for manufacturing and OT environments; confirm essential operations can continue if production networks or IT systems are disconnected due to an incident.
Review and update incident response runbooks to include double extortion scenarios, Tor based negotiation portals, and data leak threats; ensure legal, communications, and leadership roles are defined and rehearsed.
Review npm and PyPI allowlists; pin AsyncAPI and crypto SDK dependencies; block known malicious package versions (Injective Labs and related) at the registry proxy.
Inventory and isolate internet exposed Langflow, ColdFusion, Gitea, and SOHO router management interfaces; patch CVE-2026-55255, CVE-2026-48282, CVE-2026-11405 class issues or decommission exposed management planes.
Deploy or update Snort and SIGMA rule sets associated with July Patch Tuesday vulnerabilities and Spirals style defense impairment; verify sensor coverage includes key network segments and high value assets.
Align sector specific cybersecurity plans, especially in food, manufacturing, and IT services, with emerging AI enabled threat assessments and regulatory expectations, leveraging ongoing legislative and CISA guidance including CI Fortify themes.
Conduct a targeted ransomware readiness assessment focusing on initial access controls, lateral movement detection, backup integrity, and recovery time objectives, benchmarking against elevated baseline activity; complete production adjacent IT backup immutability and offline restore tests within two weeks.
Restrict AI agent and automation tool permissions to least privilege; treat exposed agent UIs as public facing applications; monitor for Gemini CLI style operator abuse and coding agent prompt injection class risks in privileged environments.
Review kernel and container estates for CVE-2026-53359 (Januscape) and CVE-2026-43499 (GhostLock) patch urgency without treating research only items as confirmed mass wild exploitation.
CONFIDENCE & LIMITATIONS
This weekly assessment is primarily based on public vendor advisories, CERT and national cyber centre bulletins, investigative journalism, and technical research reports covering incidents and vulnerabilities disclosed or emphasized during the July 12 to 18, 2026 window. The edition draws on a solid but incomplete weekly sample dominated by Microsoft Patch Tuesday detail, CISA alerting and hardening guidance, and secondary research digests summarizing the same window. SharePoint active exploitation and July zero day status (CVE-2026-56164, CVE-2026-56155) are multiply attested and high confidence. Ransomware operator attribution for Fairlife and some breach actor linkages remain weak or absent in public primary statements. Details of initial access and specific TTPs for Spirals and Fairlife may change as more forensics are published. Ransomware baseline data comes from Q1 2026 reporting and thus serves as contextual rather than real time telemetry, though it aligns with this week’s incident volume. Several adjacent items (kernel escapes, AI agent research, ORB expansion, Cavern Manticore profiling) are well evidenced as research or tracked actor reporting but should not be over merged into a single campaign without additional correlation. Exact global victim counts, exploit kit packaging, and full IOC sets were not uniformly published across all stories. Patch count totals in consulted sources vary slightly (approximately 569 versus 570), so volume is stated as a range rather than a single false precise figure.
