Expert SLTT Support in Face of the ToolShell Vulnerability

In July 2025, cybersecurity experts discovered a zero-day vulnerability in Microsoft SharePoint, a tool many organizations use to store and share documents. The flaw allowed threat actors to break into systems without needing a password, giving them full control. Once inside, they could install malicious software and move around undetected.

Learn about the details of this vulnerability and how the Multi-State Information Sharing and Analysis Center^® (MS-ISAC^®) provided expert-level support.

Disruptions Resulting from Zero-Day Attacks

The "ToolShell" vulnerability caused disruptions for government agencies, local communities, and everyday Americans:

• Government Offices: Threat actors compromised the systems of agencies like the U.S. Department of Education and two state legislatures. These events interrupted communications and prevented staff from accessing important files, requiring emergency cybersecurity teams to step in.
• Local Governments and Schools: City governments and school districts that rely on Microsoft SharePoint to manage documents and collaborate internally found themselves locked out of their systems. In some cases, malicious actors stole sensitive data or encrypted files, demanding ransom payments to unlock them.
• Public Services: These systems help to run things like permit applications, council records, and school operations. The zero-day attacks against them thus delayed services like getting building permits, accessing school resources, communicating with local officials, and others on which people depend.
• Costs Went Up: Local governments had to spend more money on emergency IT support, cybersecurity consultants, and system recovery. These unexpected costs strained budgets that were already tight.
• Personal Information Put at Risk: In some cases, threat actors accessed data that included names, addresses, and other personal details of residents — raising concerns about identity theft and long-term privacy risks.

How the MS-ISAC Supported Defense Against ToolShell

The MS-ISAC mobilized quickly to support U.S. State, Local, Tribal, and Territorial (SLTT) member organizations:

• Early Advisory: On July 19, the MS-ISAC issued a threat advisory confirming widespread exploitation and provided actionable guidance to member organizations.
• Threat Intelligence Sharing: The MS-ISAC distributed Indicators of Compromise (IOCs), including malicious IPs, file paths, and user-agent strings, enabling U.S. SLTTs to detect and block attacks.
• Technical Support: The MS-ISAC helped members:
  • Validate patching and remediation steps
  • Rotate compromised cryptographic keys
  • Investigate signs of compromise using Security Information and Event Management (SIEM) as well as Security, Orchestration, Automation, and Response (SOAR) tools
• Federal Coordination: The MS-ISAC worked with the Cybersecurity and Infrastructure Security Agency (CISA) along with Microsoft to ensure U.S. SLTTs received timely updates and mitigation resources.

Unlock the Power of Communal Cyber Defense

The ToolShell incident discussed above underscores the national security implications of software vulnerabilities and the essential role of the MS-ISAC. Many U.S. SLTTs lacked the internal capacity to respond to this incident, which is why the MS-ISAC provided free, expert-level support for one of the most complex cyber attacks in recent history. Without this support, many public institutions would have faced greater disruption, data loss, and long-term exposure.

As cyber threats grow more sophisticated, the MS-ISAC remains the only coordinated cybersecurity safety net for thousands of public sector organizations.

Ready to unlock the power of this cyber defense community?