Share via

Defender still detecting 'SuspSignoutReq' even after patching Sharepoint CVE-2025-53770

MikeFox-9914 55 Reputation points
2025-07-28T15:46:05.5233333+00:00

After applying the Sharepoint 2019 patch for CVE-2025-53770 and following the remediation advice from MS, I continue to see detections for 'SuspSignoutReq' and "Possible exploitation of SharePoint server vulnerabilities". Should I be expecting these? I'm sure the ToolShell attacks are ongoing, but I would have thought I'd no longer see these Defender detections.

Anybody else experiencing this?

Microsoft Security | Microsoft Defender | Other
0 comments
Accepted answer
  1. GlennGagn-2395 77 Reputation points
    2025-08-22T14:07:31.06+00:00

    In our case, we had installed properly OOB patch for SharePoint 2019 July 19th, 2025 (KB5002754), Antimalware Scan Interface (AMSI) is turned on, an appropriate antivirus solution is in place (Windows Defender + EDR Block Mode with MDE), the ASP.NET machine keys was rotated after all changes. But we still receiving alerts about "SuspSignoutReq".

    After diagnostic, we can observe AMSI was preventing the execution properly. It really happen something with our IIS w3wp.exe service. The flagged action is "POST request to /_layouts/15/ToolPane.aspx?DisplayMode=Edit" with header field referring to : /_layouts/SignOut.aspx

    The reason is: not just antivirus solutions was improving our detection about this vulnerability, Other security tools too ! We use a VDR scan and this one try to exploit the breach. No real malicious attacker.

    ... But something tell me the vulnerability is not totally erased by this patch, just a mitigation. Microsoft seem to just added a signature to identify a malicious action and prevent the action ! This will not stop to receive alerts when someone knock at door... may be generate more alerts (even if the action was prevented).

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Catherine Kyalo 2,195 Reputation points Microsoft Employee
    2025-08-07T05:43:19.1233333+00:00

    Hi MikeFox-9914,

    To fully address the vulnerability, customers should install the out of band update released July 20 (SharePoint 2019 and SharePoint Subscription Edition) and/or July 21 (SharePoint 2016).  In cases where the out-of-band July 20 and/or July 21 update can't be installed.

    Below are some steps to mitigate potential attacks:

    1. Use supported versions of on-premises SharePoint Server  
    2. Apply the latest security updates, including the July 2025 Security Update  
    3. Ensure the Antimalware Scan Interface (AMSI) is turned on and configured correctly, with an appropriate antivirus solution such as Defender Antivirus
    4. Deploy Microsoft Defender for Endpoint protection, or equivalent threat solutions
    5. Rotate SharePoint Server ASP.NET machine keys 

    Please see the MSRC blog for more details on the mitigations.

    Defender definitions at or above version 1.431.525.0 have detections in place to block post-exploitation activity. 

    For Hunting guidance has been made available - please see the MSRC blog or the MSTIC blog for more details. 

    If you find the answer above helpful, please Accept the answer to help anyone in the community who might have a similar question to quickly find the solution.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.