Nine Days to Exploitation. Two Weeks to Bypass. How Dataminr and Cortex Break the ToolShell Cycle.

The vulnerability that won't stay fixed

If you work in a SOC, you've felt this before. A critical vulnerability drops, your team scrambles to patch, leadership signs off, and everyone exhales. Then two weeks later, a bypass surfaces and you're right back where you started, except now the adversary has learned from the first round.

ToolShell has been that vulnerability chain.

What began as a pair of SharePoint vulnerabilities disclosed at Pwn2Own Berlin in May 2025 became one of the more persistent exploit chains I tracked during my time working with Cortex deployments. The original CVEs, CVE-2025-49704 (deserialization, CVSS 8.8) and CVE-2025-49706 (authentication bypass, CVSS 6.5), were patched by Microsoft on July 8th, 2025. 

Within nine days, attackers were exploiting them in the wild. Within two weeks, researchers found the patches could be bypassed, and Microsoft issued new CVEs: CVE-2025-53770 (CVSS 9.8) and CVE-2025-53771 (CVSS 6.5). In January 2026, Microsoft patched yet another deserialization flaw, CVE-2026-20963, and by March 2026, CISA confirmed active exploitation. The adversary isn't just finding new vulnerabilities. They're reading the patches, identifying gaps, and keeping their existing exploit infrastructure running.

This is the kind of threat that breaks the standard vulnerability management cycle. But the organizations I've worked with that got ahead of each wave had one thing the others didn't: Dataminr was alerting on ToolShell activity before the first CVE was even published. That early warning, fed directly into Cortex, is what turned a multi-month fire drill into a managed response.

How ToolShell actually works

The attack chains two SharePoint flaws: an authentication bypass (CVE-2025-49706) that allows the attacker to access internal APIs without credentials, and a deserialization vulnerability (CVE-2025-49704) that turns that access into arbitrary code execution. No credentials, no user interaction required.

What makes the chain dangerous isn't the initial entry. It's what happens after. The attacker spawns PowerShell through the IIS worker process (w3wp.exe), drops a web shell, and extracts the ASP.NET MachineKey from the server's configuration. That MachineKey is how SharePoint signs authentication tokens. Once stolen, the attacker can forge legitimate sessions and maintain access even after password resets or new conditional access policies. Patching alone didn't close that door.

The July 8th patches left the underlying endpoint reachable through alternate code paths, which is why bypass variants emerged within two weeks. Affected versions include SharePoint Server Subscription Edition, SharePoint Server 2019, and SharePoint Enterprise Server 2016. Unit 42 and Microsoft attributed early exploitation to Chinese nation-state actors Linen Typhoon and Violet Typhoon, while a third actor, Storm-2603, used the same chain for ransomware. The same exploit served both intelligence collection and financial extortion.

Cortex XDR agent: Behavioral detection

This is where the Cortex XDR agent earns its keep. Running on the SharePoint server, the behavioral engine flags activity that signatures miss:

• w3wp.exe spawning PowerShell regardless of the command payload.
• .aspx files written to web directories by processes that have no business creating web content.
• Unexpected reads against web.config where the MachineKey lives.

These aren't signature matches. They're behavioral patterns, and that distinction matters for ToolShell specifically because every bypass variant changed the entry vector but kept the post-exploitation behavior identical. Same w3wp.exe to PowerShell chain. Same web shell deployment. Same MachineKey exfiltration. Signature-based detection broke with each new CVE. The behavioral engine didn't.

The impact across the organization

During the July 2025 ToolShell response, a healthcare customer learned how quickly incident response plans can unravel when their EDR is completely blind to an active exploit. The C-suite bypassed standard CAB procedures for emergency patching and MachineKey rotation, and both the security and infrastructure teams agreed to accept the necessary SharePoint outage. That interdepartmental harmony was short-lived. I was out to dinner when my phone buzzed with news of a new ToolShell variant dropping. I had to immediately message the account team that our hard-won consensus was already obsolete. We were left at a crossroads: force the teams back to the table for another patching cycle, or pivot entirely and use the crisis to replace their failing EDR with Cortex XDR.

CISO

The question isn't technical. It's: are we on the list, and what do we need to report? Over 4,600 compromise attempts hit more than 300 organizations in the first week. Nation-state and ransomware operators on the same chain means regulatory and operational exposure land simultaneously. The CISO needs two answers: are we exposed, and can we document the response? Without connected intelligence and response, assembling either answer takes days. With Dataminr feeding Cortex, both answers are in the incident before the CISO needs to ask.

SOC analyst

The immediate problem is whether known indicators are already in the environment. Cortex XDR changes how long that takes. The agent running on the SharePoint server collects process trees, file writes, and network connections continuously, so when the incident arrives, the endpoint evidence is already correlated and attached. When the bypass variants drop two weeks later, the same correlation runs again against the updated indicators.

Vulnerability management team

ToolShell broke the scan-patch-verify cycle three times in eight months. The July 19th patch required MachineKey rotation and IIS restarts across every server in the farm. If MachineKeys were exfiltrated before the fix landed, patching alone doesn't close the compromise. Without a live connection back from threat intelligence into the vulnerability workflow, each new CVE looked like a fresh problem. Dataminr's early visibility changes that by keeping the incident thread alive across each wave, so the team sees ToolShell as one evolving problem rather than three separate fires.

IT administrator

The ask is significant: manual patching, IIS service interruptions, and MachineKey rotation without clear guidance on which servers to prioritize. They need a ranked list based on actual exposure, not a blanket directive. When Dataminr's intelligence feeds into Cortex's Exposure Management, that ranked list already exists.

Why visibility before the CVE changes everything

Here's what made the difference for the teams that got ahead of ToolShell: Dataminr was tracking this threat before anyone had a CVE number.

Think about what the timeline looked like from the SOC's perspective. The vulnerabilities were demonstrated at Pwn2Own Berlin in May 2025. Microsoft didn't publish CVEs until July 8th. That's nearly two months where every traditional threat intelligence source was silent. No CVE to query. No advisory to read. No IOCs to ingest. If your SOC relies on published vulnerability data to start working, you didn't know ToolShell existed until the day the patches dropped, and by then, you were already nine days from active exploitation.

Dataminr's customers were in a different position entirely. 

During that pre-CVE window, researchers were reproducing the exploit, technical discussions were surfacing in public forums, and early exploitation chatter was building across dark web channels. These signals were scattered across different languages, platforms, and communities. No single feed captured them. Dataminr was correlating across all of them simultaneously, and that correlation is what generated the early warning.

Dataminr processes over 43 terabytes daily from more than 1.1 million sources spanning the open and dark web, code repositories, sensor networks, government disclosures, and ransomware group sites across 150+ languages. In documented cases, Dataminr has surfaced vulnerability signals up to 38 days before CISA published a disclosure. For ToolShell, that meant customers received alerts weeks before the first CVE was published, weeks before the first patch, and weeks before anyone was exploited.

That window is the difference between preparing for a threat and reacting to one. I've seen enough Cortex deployments to know that most organizations don't struggle with response. They struggle with knowing when to start. Dataminr solves the "when" problem, and that changes the entire conversation about how to prioritize.

How Dataminr for cyber defense works inside the SOC

Client-Tailored Threat Intelligence scopes alerts to your infrastructure before they reach the analyst. A healthcare organization running SharePoint Server 2019 on-premises receives a different alert than a financial services firm running SharePoint Online. The relevance filtering happens upstream, which is what makes the Cortex integration produce useful incidents rather than noise. Through Agentic TI Ops, the alert that arrives in Cortex already has threat actors identified, TTPs mapped, and the relevant IOCs attached. When the bypass variants emerged, the existing incident was updated in place rather than generating a second disconnected alert.

Live Briefs matter here because the event description regenerates continuously as new information surfaces. An analyst reviewing the incident 24 hours in sees the current picture, not the one from when the alert first fired. Cyber Anomaly Alerts detect surges in threat activity by comparing patterns across multiple sources simultaneously. The exploitation spike in the third week of July 2025 was the kind of cross-source anomaly that shows up before any single advisory captures it.

Predictive Threat Exposure Management translates exposure into financial risk terms for leadership. A CVSS score doesn't move a board the way a dollar figure does. For a threat like ToolShell, where the exposure window is measurable in days, that translation matters.

The operational result

When a Dataminr alert fires, the analyst doesn't need to research threat actors, check exploitation status, or manually pull IOCs. That work is done before the incident lands in Cortex. Once a CVE is published and Exposure Management generates a CVRS, the existing incident is automatically enriched with the exposure score. Both the external intelligence and the internal risk picture live in the same incident, and that's the key: visibility and prioritization on the same screen.

The results bear that out:

• More than half of Dataminr users cut their mean time to respond by more than half.
• Average response time dropped from hours to under 40 minutes.
• Clients report that their existing security tools have become more effective after adding Dataminr.

WWT and Dataminr have a formal strategic partnership for delivering integrated cyber-physical intelligence. When you engage WWT on a Cortex deployment, Dataminr is part of the conversation from the start. The marketplace integration and subscription can be scoped and delivered together.

What the workflow looks like in practice

May 2025: Dataminr alerts before the CVE exists

When Dataminr picks up Pwn2Own-related discussion in May 2025, an incident is created in Cortex with a Live Brief summary and preliminary risk assessment scoped to the SharePoint infrastructure. No CVE exists yet. No advisory has been published. No other threat intel vendor is generating signal. But the analyst already has an external alert and sufficient context to begin reviewing the on-premises SharePoint inventory, identify which servers are internet-facing, and confirm patch readiness. That work happens weeks before the rest of the industry knows to look, and it's what changes everything that follows.

While other organizations wait for a CVE to appear in their scanners, Dataminr customers are already building their prioritized asset list.

July 8th: CVE publication

When Microsoft publishes CVE-2025-49704 and CVE-2025-49706 on July 8th, Agentic TI Ops updates the existing incident with CVE mapping, refined TTPs, and exploitation status. Exposure Management runs the CVRS calculation and the playbook queries the asset inventory against Xpanse external scan data and compensating controls. From there, the ranked list populates exposed, unpatched servers at the top, and servers behind Strata NGFW policies further down. The prioritization work that normally starts here was already done weeks ago.

July 17th: Active exploitation

Active exploitation starts July 17th. A Cyber Anomaly Alert fires on the cross-source surge, updating the Live Brief before any single advisory captures the scope. Cortex TIM adds the known attacker IPs and file hashes. XDR behavioral telemetry feeds in simultaneously. Matches escalate the incident and the playbook branches to containment: server isolation, MachineKey rotation and forensic review.

July 19th and beyond: Bypass variants

Eleven days later, the bypass variants arrive. Client-Tailored Threat Intelligence detects the new activity against the same asset profile and updates the existing incident. The same playbook runs against the current inventory. When CVE-2026-20963 surfaces in January 2026, the cycle runs again. Organizations with this workflow had a prioritized response list before CISA added it to the KEV catalog in March 2026.

The analyst never leaves the console. 

No separate threat intel portal, no manual asset report, no spreadsheet to reconcile. On a threat that runs in multiple waves over eight months, that single-console consistency is what keeps the SOC ahead of each iteration.

Where to start

Start with a simple question: Does an external intelligence alert automatically create an incident in Cortex today, or does someone have to see it and create the ticket manually? If it's the latter, that's the visibility gap. Dataminr onboarding into Cortex is straightforward through the integration marketplace. That part only takes part of your morning to onboard and configure.

Build at least one playbook around the ToolShell lifecycle, not just the initial alert, so a bypass variant doesn't force a full restart. Then run a tabletop using the ToolShell timeline. Can your team go from a Dataminr alert to a prioritized asset list to a containment decision in under an hour?

WWT's Advanced Technology Center has lab environments for walking through these scenarios before production. As a Dataminr strategic partner, WWT delivers both sides of this workflow together.

The adversary isn't waiting for your next patch window.