Hello and welcome to the Tuesday, July 29, 2025 edition of the Sands and then at Storm Centers.

Stormcast, my name is Johannes.

Already recording today from Jacksonville, Florida, and this episode is brought you by the Sands.

EDU-cratid certificate program in incident response.

Yesterday, I think I mentioned these parasitic attacks

against the back doors that were left behind by SharePoint exploits, wrote up some of this

a little bit today, and also here a quick graph is what I published there, showing how these particular attacks evolved.

They started pretty much on the 20th.

That's sort of when this entire SharePoint issue sort of hit the news big time, then rose

quickly since then somewhat steady, maybe a little drop here the last couple of days, but many of these attacks are also

coming from researchers that are just trying to figure out how many systems are affected from

these attacks. Now, the other thing I publish as part of this is the different URLs that are

being hit here.

Interestingly, there's one URL that was hit on the 13th,

and also one of the 16th one really was just an exploit.

So on the 13th, the URL Teams logon.jspx was it not sure, it haven't had a chance to look at this on a real

SharePoint server to see if that URL exists. I don't think it does exist. So this would be

possibly an early left behind the sort of backdoor that someone was looking for here before the attack sort of really

blew up. Then on the 16th, we see the tool pane. ASPX. Again, that's from our honeypots.

So that's when we saw the initial attacks in our honeypots. And then, of course, it continues

on the 19th with SP install zero. They're varying also a little bit than the number here,

like SP install 8 was one or SP install X that we see,

...