How to protect your SharePoint server from compromise

• Deploy the appropriate out-of-band security updates from Microsoft for SharePoint Server Subscription Edition and SharePoint Server 2019. One is not available for SharePoint Server 2016 at the time of publication.
• Monitor for indicators of compromise, such as POSTs to /_layouts/15/ToolPane.aspx?DisplayMode=Edit and the malicious IP addresses 107.191.58[.]76, 104.238.159[.]149, 96.9.125[.]147.
• Adjust the intrusion prevention system and web application firewall to block serialised payload patterns and forged __VIEWSTATE requests.
• Minimise layout and administrative privileges within the SharePoint environment.
• Configure Antimalware Scan Interface (AMSI) in SharePoint and deploy Microsoft Defender Antivirus on all SharePoint services.
• If AMSI is not possible, disconnect public-facing services from the internet until appropriate mitigation measures are implemented.
• If no appropriate mitigations are provided, either discontinue the use of the products or follow the applicable BOD 22-01 guidance for cloud services.

What to do if you ...