By Medha Cloud Security Desk
Microsoft investigators have uncovered a series of coordinated cyberattacks targeting retail organizations, where hackers exploited SharePoint vulnerabilities and abused Microsoft Entra ID tokens to gain persistent access to corporate networks. The campaign, described in a Microsoft Threat Intelligence report, shows how threat actors are chaining cloud and on-premises weaknesses to evade detection.
The incident began when a single security alert revealed unusual SharePoint behavior within a retail customer’s Microsoft 365 tenant. Upon investigation, Microsoft identified exploitation of CVE-2025-49704 and CVE-2025-49706 — two vulnerabilities enabling remote code execution and privilege escalation in SharePoint Server. Attackers used these flaws to deploy malicious web shells, establish persistence, and escalate privileges into Entra ID via compromised API credentials.
According to TechRadar Pro and The Hacker News, the attackers leveraged stolen OAuth tokens and misconfigured Entra applications to quietly exfiltrate data for months. Many victims were unaware of the breach due to limited visibility into app registrations and token lifetime policies.
The campaign highlights a new era of identity abuse, where attackers use legitimate APIs and authentication pathways instead of brute-force attacks. “They’re operating inside the same tools administrators use every day — that’s what makes detection so difficult,” said one Microsoft analyst involved in the investigation.
Microsoft recommends customers update all on-premises SharePoint deployments, review Conditional Access policies, and monitor Entra ID logs for unusual token issuance. Security experts also advise adopting Privileged Identity Management (PIM) to limit the duration of high-privilege access and implementing Just-In-Time (JIT) elevation.
The retail sector remains a frequent target due to its distributed workforce and complex supply chains. The findings serve as a reminder that hybrid environments — combining on-premises servers with Microsoft 365 services — require continuous monitoring and coordinated defense to prevent lateral movement.
Defend against persistent identity attacks and hybrid-cloud exploits with Medha Cloud’s Managed Microsoft 365 Security Services, offering advanced threat monitoring, API visibility, and continuous tenant protection.
→ Learn more about Microsoft 365 Managed Services
