SharePoint Vulnerability Attack Analysis: OnlyScans Reconnaissance Exposed

The Discovery: Parsing the Attack Landscape

The investigation began with a routine analysis of nginx access logs from a production server. What initially appeared to be standard web traffic quickly revealed a coordinated multi-vector attack campaign spanning several hours and targeting multiple potential vulnerabilities.

The logs contained 142 entries covering approximately 10 hours of activity, revealing not just random scanning attempts but organized, methodical reconnaissance and exploitation attempts. The attack patterns suggested the use of automated tools combined with manual verification attempts.

The Primary Threat: SharePoint Vulnerability Exploitation

The most concerning discovery was a systematic SharePoint vulnerability scanning operation originating from IP address 170.64.159.178. This attack demonstrated several characteristics that marked it as a professional reconnaissance operation:

Attack Vector Details:

1. Target: SharePoint layout files (/_layouts/15/ and /_layouts/16/)

2. User Agent: Mozilla/5.0 (OnlyScans; Win64; x64) AppleWebKit/537.36

3. Tool Identification: "OnlyScans" - a known automated vulnerability scanner

4. Duration: 6 consecutive requests within 6 seconds Time Window: 2025-07-22 00:32:12 to 00:32:18 UTC

Technical Analysis of SharePoint Probes

The attacker systematically probed specific SharePoint endpoints known to be vulnerable in certain configurations:

GET /_layouts/15/info03.aspx HTTP/1.1" 404

GET /_layouts/15/info3.aspx HTTP/1.1" 404

GET /_layouts/16/info3.aspx HTTP/1.1" 404

GET /_layouts/15/spinstall0.aspx HTTP/1.1" 404

GET /_layouts/16/spinstall0.aspx HTTP/1.1" 404

GET /_layouts/15/spinstall1.aspx HTTP/1.1" 404

These specific endpoints are known vectors for:

1. Information disclosure vulnerabilities in SharePoint installations

2. Administrative interface exposure through spinstall*.aspx files

3. Version enumeration through systematic layout directory probing

The attacker's systematic approach suggests they were following a standardized vulnerability assessment playbook.

Significance of the SharePoint Attack

This attack is particularly noteworthy because:

1. Professional Tooling: The use of "OnlyScans" indicates access to specialized scanning infrastructure

2. Targeted Methodology: The specific endpoints probed show deep knowledge of SharePoint vulnerabilities

3. Speed and Precision: Six targeted requests in six seconds suggests automated execution with human oversight

4. Risk Profile: Had the server been running SharePoint, this could have resulted in immediate compromise.

The Business Impact of SharePoint Targeting

SharePoint environments represent high-value targets for attackers due to their central role in enterprise infrastructure. These platforms typically contain:

1. Critical business documents and intellectual property

2. User credentials and authentication tokens

3. Administrative access to connected systems

4. Integration points with other enterprise applications

A successful SharePoint compromise can provide attackers with a foothold deep within an organization's network, making this type of reconnaissance particularly dangerous. Defensive Insights

This attack highlights the critical importance of proactive security monitoring. The key lessons learned include:

1. Log Analysis is Essential: Without detailed examination of access logs, this sophisticated attack could have gone completely unnoticed.

2. Pattern Recognition: Identifying the "OnlyScans" user agent and the specific endpoint patterns was crucial for understanding the true nature of the threat.

3. Response Time Matters: The compressed timeframe of the attack emphasizes the need for automated detection and response capabilities.

Stay vigilant, and remember: if something looks out of place, it probably is.

Have you encountered similar malware on your systems? Share your detection techniques at nandu[@]intuitbiztec.com