One Breach, Two Burglars
Microsoft's Detection and Response Team published findings this week from an investigation that began as an ordinary ransomware engagement and ended as a cautionary tale. Inside a single compromised environment, DART found not one but two unrelated threat actors operating simultaneously, each with its own infrastructure, tooling and objectives. As Microsoft put it, modern attacks are not always isolated events, and sometimes they are overlapping campaigns that complicate every assumption a responder brings to the table. The team noted that two distinct threat actors operated simultaneously within the same environment, a finding that only emerged after careful correlation.
The shared entry point was unpatched on-premises SharePoint servers, the same class of internet-facing application that has repeatedly proven to be a magnet for attackers. When a vulnerable system sits exposed, it does not attract a single adversary politely waiting its turn. It attracts everyone scanning for that weakness, and the result here was a collision of two campaigns inside one network. For defenders, the scenario shreds the comfortable mental model of an incident as a single intruder following a single kill chain. The presence of one actor in your environment is no longer evidence that there is only one, and that realization should reshape how eviction is scoped.
Storm-2603 Settles In
The first actor, tracked as Storm-2603, behaved like a patient operator building durable access. Microsoft observed it conducting reconnaissance by probing for local file inclusion weaknesses, requesting sensitive configuration files such as win.ini and web.config to map the environment. From there it established persistence using legitimate tooling rather than obvious malware, a hallmark of living-off-the-land tradecraft that is designed to blend into normal administrative noise and evade signature-based detection. The reconnaissance pattern alone is a useful hunting signal, because requests for those specific files from a SharePoint context are rarely benign.
Its toolkit is a tour of dual-use software. Storm-2603 leveraged Velociraptor running with SYSTEM-level privileges, an open-source incident-response agent repurposed for offense, and maintained remote access through Cloudflare Tunnel, Zoho Assist and SSH connections via Visual Studio Code's remote features. Every one of those is a legitimate tool a real IT team might run, which is exactly the point. The actor's persistence layer was built almost entirely from software that would not look out of place in an enterprise, making detection a question of behavior and context rather than known-bad indicators. Blocking the binaries outright is impractical, so the defensive burden falls on spotting anomalous usage of tools that are otherwise sanctioned.
The Second Actor in the Shadows
As DART worked the case, the picture refused to stay tidy. A second, unrelated threat actor was operating in parallel, using DLL side-loading and custom backdoors that bore no connection to Storm-2603's playbook. The overlapping activity streams allowed both actors to sustain access while inadvertently masking the full scope of the breach from responders, who could easily have attributed one actor's noise to the other and declared the environment contained while a second adversary remained entrenched. That failure mode is the quiet danger of parallel intrusion: success against one campaign can manufacture false confidence about the whole.
This is the part that should reshape incident-response planning. When two campaigns overlap, eviction is far harder than usual, because remediating the artifacts of one actor can leave the other untouched and may even tip them off to accelerate. Microsoft stressed that only by correlating identity, endpoint and cloud telemetry together did the full scope of the attack become clear. Any single data source told an incomplete story. The discipline of stitching signals across domains was the difference between a partial cleanup and an actual eviction, and it argues strongly for unified telemetry rather than siloed tools that each see only their slice of the intrusion.
Why Unpatched SharePoint Keeps Burning Enterprises
On-premises SharePoint has become one of the most reliable footholds in the ransomware economy, and this case explains why. It is widely deployed, frequently internet-facing, often slow to patch because of business-critical customizations, and rich in the kind of access that attackers crave. A single exposed server is not just one vulnerable box. It is a doorway to identity, file shares and lateral movement, which is precisely why two independent crews ended up exploiting the same instances at once. The same characteristics that make SharePoint valuable to the business make it irresistible to attackers, and the patch-lag that customization imposes turns it into standing exposure.
The strategic message for CISOs is to stop thinking about exposed application servers as isolated risks. Each unpatched, internet-facing system is shared attack surface, available to every actor capable of finding it, and the probability that more than one will be present rises with the value and exposure of the asset. Aggressive patching of on-premises SharePoint, tight monitoring of dual-use tools like Velociraptor and tunneling utilities, and cross-domain telemetry correlation are no longer best practices. After a case like this, they are the baseline for surviving an intrusion that may have more than one author, and for recognizing that the first adversary you find may be the easier of two problems.
The Living-off-the-Land Detection Challenge
Storm-2603's reliance on Velociraptor, Cloudflare Tunnel, Zoho Assist and Visual Studio Code's remote SSH is a reminder that the modern adversary rarely needs custom malware to stay hidden. These are sanctioned, signed, frequently allowlisted tools, and their abuse generates telemetry that looks indistinguishable from legitimate IT operations unless you have the context to spot the anomaly. An incident-response agent running with SYSTEM privileges is unremarkable during an actual response engagement and deeply suspicious when no engagement is underway. The difference is entirely in the surrounding context, which is exactly the signal that thin, siloed monitoring tends to lose.
Defending against this requires baselining what normal administrative activity looks like in your environment, so that an outbound Cloudflare tunnel from a SharePoint server or an unexpected Velociraptor deployment stands out. We would push security teams to inventory which dual-use tools are sanctioned, alert on their appearance outside approved contexts, and treat remote-access utilities on internet-facing servers as high-priority hunting targets. The uncomfortable truth this case underlines is that blocking known-bad binaries does almost nothing against an actor who only uses tools you have already decided to trust, and the answer is behavioral analytics rather than another signature feed.
