Threat Hunting//
Threat Hunting Case Study: FileFix
FileFix bypasses Mark of the Web (MotW) protections by hijacking the Windows File Explorer address bar. Here is how to hunt for it.
Threat Summary
In July of 2025, large-scale exploitation of a vulnerability affecting Microsoft SharePoint servers was discovered by researchers. The campaign leverages a critical zero-day vulnerability in Microsoft SharePoint Server, tracked as CVE-2025-53770, to facilitate unauthorized remote code execution (RCE) on vulnerable on-premises servers.
Furthermore, the vulnerability allows attackers to exploit deserialization of untrusted data, granting unauthenticated access to SharePoint systems. The exploitation chain, dubbed "ToolShell," has been actively utilized in large-scale attacks, compromising over 85 SharePoint servers across 29 organizations, including multinational corporations and government entities. The impact of this vulnerability is quite significant, because it enables attackers to execute arbitrary code, access sensitive data, and potentially move laterally within the network of targeted victims. Its exploitation underscores the critical need for timely patching and robust security measures to protect enterprise infrastructures in modern environments. Intel 471 will continue to update this collection with pertinent info as research continues and new data is uncovered.
TITAN Reference:
Get your FREE Community Account today on the HUNTER Platform and get access to behavioral threat hunting content for your SIEM, EDR, NDR, and XDR platforms!
