When Trusted Systems Become the Risk

A real-world breach shows how attackers can exploit endpoint management platforms like Intune to gain control at scale. Here’s what SMEs need to know

Madhu Veerappan

2 min read

When Trusted Systems Become the Risk: SharePoint, Intune, and the Expanding Attack Surface

Recent developments across the Microsoft ecosystem highlight a growing pattern in how attackers are operating and where organisations are most exposed.

In a short space of time, we’ve seen:

  • A critical Microsoft SharePoint vulnerability actively exploited in attacks

  • CISA issuing guidance following the Stryker incident involving Microsoft Intune

  • Continued focus on endpoint security platforms designed to detect threats in real time

Individually, these are important. Together, they point to something more significant.

A Shift in Attacker Focus

Traditionally, cyberattacks focused on endpoints, compromising individual devices and moving laterally across networks.

That model is changing.

Attackers are increasingly targeting:

  • Collaboration platforms (SharePoint)

  • Identity systems (Entra ID / Azure AD)

  • Endpoint management platforms (Intune)

These systems form the control layer of modern IT environments.

If compromised, they provide:

  • Broad access to data and systems

  • The ability to execute actions across multiple devices

  • A faster path to operational disruption

In many cases, attackers no longer need complex exploit chains, they can use legitimate tools and access.

The SharePoint Risk

The actively exploited SharePoint vulnerability is a reminder that widely used business platforms are high-value targets.

For many organisations, SharePoint is:

  • A central repository for sensitive data

  • Integrated with identity and access controls

  • Accessible across users, devices, and locations

A critical flaw in this layer can expose:

  • Confidential documents

  • Internal communications

  • Organisational structure and permissions

For SMEs, where access controls are often less mature, the impact can be significant.

The Intune Lesson

The Stryker incident reinforces a different but related risk.

Instead of exploiting software vulnerabilities, attackers reportedly:

  • Gained access to an Intune administrative account

  • Used legitimate management functionality

  • Carried out disruptive actions at scale

This highlights a key issue:

If attackers control your management platform, they control your environment.

The Role of Endpoint Security

Solutions designed to detect and respond to threats in real time remain important.

However, they are not a complete solution.

If an attacker:

  • Authenticates as a legitimate admin

  • Uses approved tools and workflows

Traditional detection mechanisms may not trigger.

This creates a gap between:

  • Threat detection

  • Control plane security

Where Organisations Are Exposed

Across SME environments, common patterns include:

  • Over-reliance on default configurations

  • Excessive administrative privileges

  • Inconsistent MFA enforcement

  • Limited visibility into admin activity

  • Treating platforms like SharePoint and Intune as operational tools, not security boundaries

These gaps are not unusual, but they are increasingly being targeted.

Practical Considerations

Organisations should prioritise:

1. Securing Identity and Access

  • Enforce MFA across all users, especially administrators

  • Limit privileged roles using least privilege principles

  • Regularly review access and permissions

2. Hardening Core Platforms

  • Apply security updates promptly (including SharePoint)

  • Review sharing settings and external access controls

  • Ensure security baselines are configured

3. Monitoring Administrative Activity

  • Enable logging across identity and management platforms

  • Review unusual sign-ins and configuration changes

  • Implement alerting for high-risk actions

4. Treating the Control Layer as Critical

  • Recognise that platforms like Intune, Entra ID, and SharePoint are central to security

  • Protect them accordingly

A Broader Shift

These developments are not isolated incidents.

They reflect a broader change:

Security is no longer just about protecting devices, it’s about protecting the systems that control them and the platforms where data lives.

Final Thoughts

For SMEs, this presents both a challenge and an opportunity.

The challenge is clear: modern environments introduce new risks that are often underestimated.

The opportunity lies in addressing them early, before they become incidents.

If your organisation relies on Microsoft 365, it’s worth reviewing whether your current setup reflects how attackers are actually operating today.

CNI Security Solutions

Tailored Cybersecurity solutions to protect your business today.

info@cnisecurity.co.uk

© CNI Security Solutions Limited. 2026. All rights reserved. Company Number: 16272265 Registered in England and Wales