Parallel Threat Activity: Microsoft DART Findings

Introduction

Microsoft’s latest Cyberattack Series report shows why modern incident response is getting harder: defenders may be dealing with more than one attacker at the same time. In this case, Microsoft DART uncovered a single intrusion that involved parallel activity from two unrelated threat actors, creating overlapping signals that complicated both attribution and containment.

For security teams, the lesson is clear: isolated alerts may not reflect the full scope of an attack, especially in hybrid environments spanning on-premises and cloud resources.

What’s new in the report

Two threat actors in one intrusion

• Microsoft DART found evidence of two separate threat actors operating simultaneously in the same compromised environment.
• One actor, Storm-2603, was linked to ransomware-related activity and targeting of on-premises SharePoint servers.
• A second actor used DLL sideloading and custom backdoors, indicating a distinct intrusion path and tradecraft.

SharePoint and reconnaissance activity

• Storm-2603 had reportedly targeted SharePoint servers since mid-2025.
• The actor exploited known vulnerabilities and also probed for additional entry points using requests for files such as win.ini and web.config, consistent with reconnaissance for local file inclusion weaknesses.

Trusted tools used for persistence

• The attackers used legitimate tools to blend into normal admin activity, including:
  • Velociraptor with SYSTEM privileges
  • Cloudflare tunnels
  • Zoho Assist
  • SSH via Visual Studio Code
• Additional tactics included creating new local and domain admin accounts and using a vulnerable driver to tamper with memory and weaken protections.

Why this matters for IT and security administrators

This report is a reminder that trusted tools and normal-looking admin behavior can mask malicious activity. Security teams managing Microsoft environments should pay close attention to internet-facing SharePoint systems, privileged account creation, remote access tooling, and telemetry correlation across identities, endpoints, and cloud services.

The case also shows why ransomware investigations should not assume a single actor or a linear attack chain. Parallel threat activity can hide the true scope of compromise and delay containment if teams investigate alerts in isolation.

Recommended next steps

• Patch internet-facing systems quickly, especially on-premises SharePoint servers.
• Centralize and retain telemetry across endpoints, identities, and cloud resources.
• Review use of trusted admin tools such as remote access software, tunneling tools, and forensic utilities.
• Audit privileged account changes and investigate unexpected local or domain admin creation.
• Test incident response playbooks to ensure teams can isolate compromised users, devices, and access paths quickly.

Organizations that improve visibility, identity protections, and response coordination will be better positioned to detect and contain complex multi-actor intrusions earlier.