What is the ToolShell attack and why should you care
A new wave of cyberattacks exploiting Microsoft SharePoint has already compromised at least 75 organisations across Europe. The campaign, tracked under the name ToolShell, uses a sophisticated backdoor toolkit that gives attackers persistent access to corporate environments through one of the most widely used collaboration platforms in the world.
For European SMBs that rely on SharePoint for document management, intranet services, and team collaboration, this is not a distant headline. It is a direct threat to daily operations, sensitive data, and business continuity.
How the ToolShell attack works
Initial access through SharePoint vulnerabilities
The ToolShell campaign takes advantage of known — and in many cases still unpatched — vulnerabilities in Microsoft SharePoint Server. Critical flaws such as CVE-2024-38094 (a remote code execution vulnerability with a CVSS score of 7.2) and the chained exploits CVE-2023-29357 and CVE-2023-24955 allow attackers to bypass authentication, escalate privileges, and execute arbitrary code on the server.
Once inside, the attackers deploy a custom backdoor toolkit — ToolShell — that installs itself as a series of webshell components disguised as legitimate SharePoint files. These components use standard file extensions like .aspx and .ashx, making them extremely difficult to distinguish from normal SharePoint application files during routine checks.
Persistence and lateral movement
What makes ToolShell particularly dangerous is its modular design. After the initial webshell is planted, the toolkit can download additional modules for credential harvesting, lateral movement across the network, and data exfiltration. The attackers operate with a low-and-slow approach, often remaining undetected for weeks before executing their final objective — whether that is ransomware deployment, intellectual property theft, or supply chain compromise.
The toolkit communicates with command-and-control servers using encrypted channels that mimic legitimate SharePoint traffic patterns. This makes network-based detection significantly harder, especially for organisations without advanced monitoring in place.
Why European SMBs are at particular risk
Large enterprises typically have dedicated security operations centres and endpoint detection tools that can flag anomalous behaviour. Small and medium businesses rarely have the same resources, yet they use the same platforms. According to Eurostat, over 90% of EU enterprises with 10 or more employees use cloud-based services, and Microsoft 365 — including SharePoint — dominates the European market.
Italian SMBs face an additional challenge. The country’s Agenzia per la Cybersicurezza Nazionale (ACN) has repeatedly warned that Italian businesses are disproportionately targeted by opportunistic threat actors, partly because of slower patch adoption cycles and limited cybersecurity budgets. In its 2024 annual report, ACN noted a 65% year-over-year increase in cyber incidents affecting Italian organisations, with unpatched public-facing applications cited as a top initial access vector.
The ToolShell campaign fits this pattern perfectly. It targets a widely deployed platform, exploits vulnerabilities for which patches have been available for months, and relies on the fact that many organisations simply have not applied them yet.
NIS2 and regulatory pressure
The EU’s NIS2 Directive, which entered full enforcement in October 2024, significantly expanded the scope of cybersecurity obligations for medium and large enterprises across essential and important sectors. Companies that fail to implement adequate security measures — including timely vulnerability management — now face administrative fines of up to €10 million or 2% of global annual turnover.
An incident like a ToolShell compromise is not only a technical problem. It is a compliance problem. Organisations must be able to demonstrate that they took reasonable steps to protect their infrastructure, including patching known vulnerabilities within a defined timeframe.
How to protect your organisation
The good news is that defending against ToolShell does not require exotic technology. It requires discipline and a structured approach to security fundamentals.
Patch management
Apply all available Microsoft SharePoint security updates immediately. Prioritise CVE-2024-38094, CVE-2023-29357, and CVE-2023-24955 if you have not already done so. If you are running SharePoint Server on-premises, confirm that your update schedule is no more than 30 days behind Microsoft’s Patch Tuesday releases.
Reduce your attack surface
SharePoint servers should never be directly exposed to the internet without a web application firewall or reverse proxy in front of them. Review your network architecture and ensure that SharePoint services are segmented from critical internal systems such as Active Directory domain controllers and database servers.
Monitor for webshells
Conduct a scan of your SharePoint directories for unexpected or recently modified .aspx, .ashx, and .asmx files. Microsoft Defender for Endpoint includes webshell detection capabilities, and open-source tools like YARA rules published by CISA can help identify known webshell signatures.
Enforce strong authentication
Enable multi-factor authentication for all accounts with access to SharePoint, including service accounts and administrative interfaces. Review OAuth application permissions and revoke any that are unnecessary or unfamiliar.
Centralise logging and detection
Ensure that Unified Audit Logging is enabled in your Microsoft 365 tenant and that SharePoint server-level logs are forwarded to a centralised SIEM platform. Without visibility into what is happening on your SharePoint infrastructure, detecting a ToolShell compromise before serious damage occurs is nearly impossible.
The bigger picture
The ToolShell campaign is not an isolated incident. It is part of a broader trend in which attackers target widely adopted enterprise platforms — SharePoint, Exchange, Confluence — because a single vulnerability gives them access to thousands of potential victims simultaneously.
For European SMBs, the message is clear. Cybersecurity is no longer optional, and the cost of inaction now includes regulatory penalties on top of operational disruption and reputational damage. The organisations that will fare best are those that treat patch management, network segmentation, and monitoring not as occasional projects but as continuous processes embedded in daily operations.
Seventy-five companies have already learned this lesson the hard way. The question is whether your organisation will be next.
Need support on this topic? Contact us for a free consultation — let’s assess your company’s situation together.
Stay updated every week on cybersecurity, AI and technology for SMBs: subscribe to our newsletter.