Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

CVE-2025-53770 and CVE-2025-53771 are critical remote code execution vulnerabilities (CVSS base score 9.8) impacting Microsoft SharePoint, a widely deployed enterprise collaboration and content management platform. In this blog, we will simulate the exploitation of this SharePoint RCE vulnerability and analyze the resulting telemetry inside Graylog.

Driving along on a dark highway late at night, you feel a jolt and hear a metallic crushing sound as your car hits an unknown object in the road. You nervously continue on your journey, until you see a bright light flashing on your dashboard. Your oil pressure is low because your car has been leaking oil since you hit that unknown object on the highway. Much like an unknown object in the road that leads to a slow leak, a network vulnerability can lead to a devastating data leakage or breach.

If your security priorities still center on CVSS scores and device vulnerabilities, you’re missing a significant piece of the risk puzzle. People. Attackers aren’t following your org chart. They’re targeting whoever gives them access. Enter the concept of Very Attacked People (VAPs): individuals in your environment who attract the most persistent, targeted attacks. And they’re not always the CEO or the CISO.

In many sports, but especially soccer, a team has a set of offensive players and defensive players. The offensive players look for ways to compromise the opposing team’s defenses, seeking to get the ball in the goal. Meanwhile, the defenders work hard to push back against the opponent’s offensive line to clear the ball from the goal line. On a security team, your defenders are the blue team.

Data lakes have evolved. Once treated as passive storage archives, they’re now becoming active components of enterprise risk management. The driver? Selective retrieval — the ability to park large data volumes in cold storage and later retrieve targeted slices for forensic or compliance needs. This shift matters. According to 2025 data from Cybersecurity Insights Group, 73% of enterprises report that SIEM ingestion costs are limiting their real-time analysis capacity.

Email threats aren’t slowing down. From credential phishing to malware-laced attachments, email remains one of the most exploited entry points for attackers. If you’re already using Mimecast to help mitigate that risk, you’re ahead of the curve — but raw log data only gets you so far. Starting with Graylog 6.2.3, you can pull logs directly from Mimecast using API v2.0 and view them immediately with built-in Illuminate Dashboards.

Over the last few years, news reports around ransomware attacks have noted that the attacks are increasingly sophisticated. Simultaneously, they say that the attackers are less sophisticated than in the past. While these two statements appear to conflict with each other, they are both true when viewed through the lens of the current cybercriminals business models.

On a sunny summer vacation day, your childhood self is running around a playground looking everywhere for a small piece of paper as part of a treasure hunt. Each clue you find leads to another, then another, until you finally locate the hidden treasure. Investigating a security incident is similar to this process, but instead of clues written on paper, your clues are digital artifacts that attackers left in your systems. These digital artifacts are called indicators of compromise (IoCs).

Security fatigue gets attention for a reason. Phishing emails, authentication prompts, and constant vigilance all take a toll. But alert fatigue is the deeper, more destructive force. It overwhelms analysts, delays response, and creates blind spots that adversaries exploit. Security teams today are buried under noisy alerts and fragmented tooling. False positives waste time. Manual triage eats up valuable analyst hours. Eventually, burnout sets in and threats slip by. It is not a hypothetical risk.

“CISOs and SOC analysts are fighting the same war, but too often, one’s answering to the board while the other’s drowning in alerts.” Security teams rarely fail because of a lack of skill or commitment. They fail when the coordination layer between the boardroom and the SOC starts to unravel.