A recent Microsoft security blog post highlights active exploitation of on-premises SharePoint vulnerabilities, where attackers are:
- Stealing credentials via SharePoint exploits
- Moving laterally using legacy protocols (NTLM, SMB)
- Abusing service accounts to escalate privileges
- Pivoting from on-prem to hybrid environments
Patching isn’t always immediate—so how do Silverfort customers mitigate risk without waiting for updates?
Silverfort’s identity-centric security platform provides a multilayered defense. In this blog post, we’ll explain how customers can protect their environment in five steps.
5 ways Silverfort protects against exploited SharePoint vulnerabilities
Prevent lateral movement via legacy protocols
Attackers use stolen credentials to move laterally via NTLM, SMB, RDP, PsExec—protocols where traditional MFA fails.
Silverfort’s Solution:
- Enforces MFA and access policies for legacy authentication
- Blocks stolen credentials from authenticating to file shares, databases, and domain controllers
Agentless protection for unpatchable systems
Many SharePoint servers can’t tolerate agents or immediate patching.
Silverfort’s Solution:
- No agents required—integrates at the domain controller level
- Provides real-time visibility and enforcement without server-side changes
Conditional access for on-prem identities
Attackers abuse on-prem AD accounts to pivot into hybrid environments.
Silverfort’s Solution:
- Extends Microsoft Entra AD-like Conditional Access to on-prem AD
- Blocks or requires MFA based on risk, location, time, or authentication method
Service account protection
SharePoint relies on privileged service accounts, which attackers target.
Silverfort’s Solution:
- Detects anomalous service account usage (e.g., logins from new hosts)
- Enforces risk-based MFA for service accounts
Instant incident containment
Microsoft warns of real-time exploitation—requiring rapid response.
Silverfort’s Solution:
- Blocks compromised accounts instantly across all AD-dependent systems
- Enforces quarantine policies without system modifications
Silverfort vs. SharePoint exploitation: Key use cases
| Threat Vector | Silverfort’s Mitigation |
| Lateral movement (NTLM, SMB) | MFA and access policies for legacy protocols |
| Service account abuse | Anomaly detection plus risk-based MFA enforcement |
| On-prem identity misuse | Conditional access for AD |
| Agentless defense needed | DC-level enforcement, no server agents required |
| Rapid exploit containment | Real-time blocking at the authentication layer |
Next steps for at-risk organizations
- Audit SharePoint-related service accounts and admin logins.
- Apply risk-based policies for legacy protocols and sensitive accounts.
- Isolate compromised identities with zero trust enforcement.
- Leverage agentless protection to reduce blast radius—even before patching.
Specific action plan
Immediate (First 24 hours):
- Identify all SharePoint servers and dependent systems
- Disable unnecessary legacy protocols (NTLMv1, WDigest)
- Enable Silverfort monitoring for SharePoint-related accounts
Short-Term (First week):
- Implement MFA for all privileged SharePoint accounts
- Restrict service account permissions
- Configure geo-fencing for administrative access
Ongoing:
- Conduct regular access reviews
- Test incident response playbooks
- Monitor for new IOCs related to SharePoint exploits
If your team uses Microsoft SharePoint and would like to learn more about how the capabilities mentioned in this post can protect your organization, request a demo today.