The SharePoint vulnerabilities known as Tool Shell gave attackers something devastating: full remote code execution on on-premise servers. No credentials required. Multifactor authentication? Bypassed. Single sign-on? Irrelevant.
The support tickets started flooding in on July 18th: "Am I exposed? Do we have vulnerable SharePoint servers?"
Unit 42's managed threat hunters had already sent the answers a day earlier—before the headlines broke. Before most of the industry understood what was happening.
In the third episode of our video series "Threat Vector Investigates," Caden Knighten, cyber investigator, and Paul Michaud II, manager of Unit 42 Managed Threat Hunting, break down how proactive threat hunting gave customers critical early warnings about Tool Shell, demonstrating why hunting ahead of the news cycle makes all the difference.
When Zero Days Move at Lightning Speed
Microsoft published the CVEs on July 8th. Reports suggest attackers may have known about them as early as June. That gave threat actors like Linen Typhoon, Violet Typhoon, and Storm 2603 twelve days to formulate their plans and prepare to strike.
They made quick work of the opportunity. Storm 2603 alone deployed Warlock Ransomware across over 400 SharePoint servers spanning 148 organizations. Schools, healthcare facilities, and government agencies running on-premise SharePoint found themselves in the crosshairs.
The Power of Proactive Hunting and Industry Connections
While most organizations were still making sense of the vulnerability disclosure, Unit 42's managed threat hunters were already investigating. Through deep industry knowledge and cybersecurity connections, they'd heard whispers about the vulnerability well before the first attacks materialized.
That head start mattered.
The team launched an in-depth investigation to understand the threat completely. When they finished their research, they notified customers on July 17th—a full day before AI Security published their initial reports on July 18th. While the rest of the industry was just getting the memo, Unit 42 customers were already securing their systems ahead of the major headlines.
This is what separates reactive security from proactive threat hunting. One approach waits for public disclosures. The other operates on intelligence, research, and early warning signs that most organizations never see.
What Hunting Actually Looks Like
Forget the Hollywood image of hooded figures in dark rooms with six monitors and green text streaming across screens. Real threat hunting is about baselining and understanding what's normal for each specific environment.
Two organizations can run identical technologies, identical server specs, and identical architectures, but different configurations create different baselines. What's normal for Organization A might be suspicious for Organization B.
The challenge? Casting a wide enough net to catch threats without drowning in millions of alerts. Threat hunters start broad, then narrow their focus based on what the data reveals. They look for activity that either clearly stands out as malicious or raises questions worth investigating further.
For Tool Shell, the team needed to identify which customers had on-premise SharePoint servers that could be impacted. Cloud environments remained unaffected, but scoping the exposure quickly required solid asset management and comprehensive telemetry.
Why Stitched Data Sets Change Everything
Speed matters when vulnerabilities hit and active exploitation begins. Organizations need answers fast: "Am I impacted? Do I have exposure?"
Cortex's stitched and normalized data sets let threat hunters move faster. Instead of writing custom queries for different firewall vendors or extracting data from disparate sources, normalized telemetry means one query works across multiple technologies. Whether you're migrating between vendors or running mixed environments, stitched data eliminates the syntax guesswork that slows down traditional SIEM investigations.
When zero-day vulnerabilities drop and the clock is ticking, that speed advantage becomes critical.
The Lessons That Carry Forward
Two fundamentals emerged from the Tool Shell response that apply to every zero-day threat:
First, asset management isn't glamorous, but it's essential. Can you quickly identify every potentially impacted server or application in your environment? Speed in scoping exposure can mean the difference between early mitigation and widespread compromise.
Second, you need relevant data from those components. Without telemetry, threat hunters can't answer the questions that matter when vulnerabilities break.
What You'll See in the Video
The investigation from Knighten and Michaud II reveals how proactive threat hunting works in practice:
- How Tool Shell gave attackers full remote code execution without credentials
- Why the 12-day window between disclosure and public awareness was so dangerous
- The industry connections that gave Unit 42 early warning signs
- How threat hunters balance broad searches with precise filtering to avoid alert fatigue
- The role of asset management in rapidly scoping vulnerability exposure
- Why stitched and normalized data sets enable faster investigation across mixed environments
- What separates proactive hunting from reactive security responses
Watch the Complete Investigation
See how Unit 42's proactive threat hunting intercepted Tool Shell before the headlines—and why operating ahead of public disclosures matters when zero-days spread at lightning speed.