SharePoint

The Red Canary Intelligence Insights report for May 2026 highlights the rise of ClearFake, ACR Stealer, and GraphRunner, with ClearFake using JavaScript injection to deliver malware like ACR Stealer, and GraphRunner being abused for reconnaissance and data exfiltration via the Microsoft Graph API.

An authenticated remote attacker can exploit a vulnerability in Microsoft SharePoint Server 2016, Microsoft SharePoint Server 2019, and Microsoft SharePoint to execute arbitrary code.

Detects successful Microsoft Entra ID sign-ins using the OAuth device code authentication protocol with the Microsoft Authentication Broker client requesting first-party Office API resources, indicative of adversary-in-the-middle (AiTM) phishing attacks such as Tycoon 2FA.

UNC6671, operating under the "BlackFile" brand, conducts a sophisticated extortion campaign targeting organizations through voice phishing (vishing) and single sign-on (SSO) compromise, using adversary-in-the-middle (AiTM) techniques to bypass MFA and exfiltrate sensitive corporate data.

The creation of ASPX files in web server directories, excluding legitimate processes, indicates potential web shell deployment for persistence on Windows systems.

This rule detects command and control activity using common web services by identifying Windows hosts making DNS requests to a list of commonly abused web services from processes outside of known program locations, potentially indicating adversaries attempting to blend malicious traffic with legitimate network activity.

Poorly chosen performance metrics can significantly impair a SOC's ability to detect and respond to threats, leading to ineffective security operations and potential compromise.