SharePoint exploitation and legacy protocols: what IAM teams need now

TL;DR: Microsoft’s warning on active SharePoint exploitation shows attackers stealing credentials, moving laterally through NTLM and SMB, and abusing service accounts before patching can catch up, according to Silverfort. Identity-layer enforcement, especially for legacy authentication and privileged service accounts, becomes the decisive control when remediation lags.

NHIMG editorial — based on content published by Silverfort: SharePoint exploitation and identity-layer defenses

By the numbers:

• 80% of identity breaches involved compromised non-human identities such as service accounts and API keys.
• 91.6% of secrets remain valid five days after the targeted organisation is notified, showing a critical gap in remediation procedures.
• 97% of NHIs carry excessive privileges, increasing unauthorised access and broadening the attack surface.

Questions worth separating out

Q: What breaks when SharePoint attackers can reuse stolen credentials across legacy protocols?

A: What breaks is the assumption that internal authentication is inherently trustworthy.

Q: Why do service accounts increase the impact of SharePoint exploitation?

A: Service accounts increase impact because they often hold stable, privileged access across multiple systems and are reviewed less rigorously than human admin accounts.

Q: How do you know if legacy protocol controls are actually reducing lateral movement risk?

A: Look for fewer successful authentications over NTLM, SMB, RDP, and PsExec from privileged accounts, plus a visible drop in unexpected source hosts and high-risk logins.

Practitioner guidance

• Block legacy authentication paths for high-value identities Apply protocol-aware policy to NTLM, SMB, RDP, and PsExec for privileged accounts and sensitive SharePoint dependencies.
• Separate and review SharePoint service accounts Map every service account tied to SharePoint and its downstream dependencies, then review privilege scope, host usage, and interactive login patterns.
• Enforce containment at the authentication layer Use controls that can quarantine compromised identities across AD-dependent systems even when the server cannot be modified.

What's in the full article

Silverfort's full blog post covers the operational detail this post intentionally leaves for the source:

• Step-by-step identity policy configuration for blocking legacy protocols such as NTLM, SMB, RDP, and PsExec.
• Agentless deployment details for environments where SharePoint servers cannot tolerate host changes.
• Service account monitoring and quarantine workflows for on-prem identities used in hybrid access paths.
• Immediate containment steps that block compromised accounts across AD-dependent systems without waiting for patching.

👉 Read Silverfort's analysis of SharePoint exploitation and identity-layer containment →

SharePoint exploitation and legacy protocols: what IAM teams need now?

Explore further

View Full Forum →  |  NHI Foundation Course →