{"id":60336,"date":"2026-03-18T00:00:00","date_gmt":"2026-03-18T00:00:00","guid":{"rendered":"urn:uuid:e42d74b4-632a-aaa4-c844-c7e41f9ede22"},"modified":"2026-03-18T00:00:00","modified_gmt":"2026-03-18T00:00:00","slug":"from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\/","title":{"rendered":"From Misconfigured Spring Boot Actuator to SharePoint Exfiltration: How Stolen Credentials Bypass MFA"},"content":{"rendered":"<p><img decoding=\"async\" src=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/sharepoint-976:Large?qlt=80\"><\/p>\n<div><img decoding=\"async\" src=\"https:\/\/www.trendmicro.com\/content\/dam\/trendmicro\/global\/en\/research\/thumbnails\/26\/sharepoint-976.png\" class=\"ff-og-image-inserted\"><\/div>\n<p>Security teams should expedite the prevention of similar incidents. The following are some recommendations:<\/p>\n<p>1. Disable public access to Actuator endpoints using:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">IP allowlists<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Reverse proxy protections<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Requirement of a valid authenticated user<\/span><\/li>\n<\/ul>\n<p>Moreover, in production environments, endpoints like <i>\/env<\/i> and <i>\/configprops<\/i> should never be publicly accessible.<\/p>\n<p>2. Remove plaintext credentials and audit the environment for credentials stored in:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Spreadsheets<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Shared drives<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Documentations<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Configuration files<\/span><\/li>\n<\/ul>\n<p>Thereafter, teams should immediately rotate any exposed credentials.<\/p>\n<p>3. Disable ROPC authentication.<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">If ROPC is not required, it should be disabled.<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Organizations should prioritize modern authentication flows that enforce stronger security controls.<\/span><\/li>\n<\/ul>\n<p>The investigation identified a SharePoint data exfiltration incident resulting from the misuse of valid credentials, with no evidence of malware deployment or software exploitation. The threat actor successfully authenticated to Entra ID using ROPC, obtained an access token, and leveraged it to interact with SharePoint Online, enabling unauthorized access to data.<\/p>\n<p>Overall, the incident was enabled by three specific security weaknesses: the public exposure of Spring Boot Actuator endpoints that revealed internal application configurations, the storage of sensitive secrets for an internal application in a spreadsheet, and the use of ROPC.<\/p>\n<p>Our investigation underscores the fact that modern cloud breaches often occur through legitimate access rather than technical exploits, emphasizing the need to focus defensive strategies on limiting what attackers can do once authenticated.<\/p>\n<h2><span class=\"body-subhead-title\">TrendAI Vision One\u2122 Cyber Risk Exposure Management (CREM) as a strategic preventive solution<\/span><\/h2>\n<p>This incident highlighted an increasingly common security challenge: the gap in exposure management across identity, application configuration, and cloud authentication flows. The attack leveraged misconfigurations and legacy authentication mechanisms that were permitted within the environment, instead of relying on malware or software vulnerability.<\/p>\n<p>A preventive line of defense, such as <a href=\"https:\/\/www.trendmicro.com\/en_us\/business\/products\/cyber-risk-exposure-management.html\">TrendAI Vision One\u2122 Cyber Risk Exposure Management (CREM)<\/a>, can help organizations identify and prioritize these types of risks before they can be exploited. Rather than focusing solely on active threats, Cyber Risk Exposure Management continuously evaluates an organization\u2019s attack surface and highlights exposures that could enable an attacker to move from initial access to sensitive data.<\/p>\n<p>For this incident, Cyber Risk Exposure Management could surface risk indicators, such as:<\/p>\n<ul>\n<li><span class=\"rte-red-bullet\">Internet-exposed application services that reveal sensitive configuration metadata<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Applications and service accounts using legacy OAuth 2.0 authentication flows, such as ROPC<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Accounts that lack MFA enforcement or Conditional Access protections<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Applications relying on long-lived static client secrets for authentication<\/span><\/li>\n<li><span class=\"rte-red-bullet\">Potential attack paths, such as SharePoint Online, that link exposed services, identity weaknesses, and access to sensitive cloud data<\/span><\/li>\n<\/ul>\n<p>Cyber Risk Exposure Management does not evaluate risks in isolation. Instead, it correlates exposures across identities, cloud services, and external attack surfaces to identify complete attack paths. A single issue may appear moderate on its own; however, when combined with other exposures, it can create a viable route from external access to sensitive enterprise data.<\/p>\n<p>By continuously mapping identity posture, authentication methods, and cloud application exposure, Cyber Risk Exposure Management enables organizations to move from reactive detection toward proactive risk reduction. In scenarios similar to this attack, addressing legacy authentication usage and strengthening identity security controls could significantly reduce the likelihood of credential abuse and unauthorized data access.<\/p>\n<p> Read More <a href=\"https:\/\/www.trendmicro.com\/en_us\/research\/26\/c\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltrati.html\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Not every cloud breach starts with malware or a zero-day. In this incident, attackers discovered an exposed Spring Boot Actuator endpoint, harvested credentials from leaked configuration data, then used the OAuth2 Resource Owner Password Credentials (ROPC) flow to authenticate without MFA. Read More HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[61],"tags":[9510,9521,9508,9522,11129,9509],"class_list":["post-60336","post","type-post","status-publish","format-standard","hentry","category-trendmicro","tag-trend-micro-research-articles-news-reports","tag-trend-micro-research-cyber-crime","tag-trend-micro-research-endpoints","tag-trend-micro-research-expert-perspective","tag-trend-micro-research-investigations","tag-trend-micro-research-research"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>From Misconfigured Spring Boot Actuator to SharePoint Exfiltration: How Stolen Credentials Bypass MFA 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"From Misconfigured Spring Boot Actuator to SharePoint Exfiltration: How Stolen Credentials Bypass MFA 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2026-03-18T00:00:00+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/sharepoint-976:Large?qlt=80\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"From Misconfigured Spring Boot Actuator to SharePoint Exfiltration: How Stolen Credentials Bypass MFA\",\"datePublished\":\"2026-03-18T00:00:00+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\\\/\"},\"wordCount\":532,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/sharepoint-976:Large?qlt=80\",\"keywords\":[\"Trend Micro Research : Articles, News, Reports\",\"Trend Micro Research : Cyber Crime\",\"Trend Micro Research : Endpoints\",\"Trend Micro Research : Expert Perspective\",\"Trend Micro Research : Investigations\",\"Trend Micro Research : Research\"],\"articleSection\":[\"TrendMicro\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\\\/\",\"name\":\"From Misconfigured Spring Boot Actuator to SharePoint Exfiltration: How Stolen Credentials Bypass MFA 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/sharepoint-976:Large?qlt=80\",\"datePublished\":\"2026-03-18T00:00:00+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\\\/#primaryimage\",\"url\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/sharepoint-976:Large?qlt=80\",\"contentUrl\":\"https:\\\/\\\/trendmicro.scene7.com\\\/is\\\/image\\\/trendmicro\\\/sharepoint-976:Large?qlt=80\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Trend Micro Research : Articles, News, Reports\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/tag\\\/trend-micro-research-articles-news-reports\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"From Misconfigured Spring Boot Actuator to SharePoint Exfiltration: How Stolen Credentials Bypass MFA\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"From Misconfigured Spring Boot Actuator to SharePoint Exfiltration: How Stolen Credentials Bypass MFA 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\/","og_locale":"en_US","og_type":"article","og_title":"From Misconfigured Spring Boot Actuator to SharePoint Exfiltration: How Stolen Credentials Bypass MFA 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2026-03-18T00:00:00+00:00","og_image":[{"url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/sharepoint-976:Large?qlt=80","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"From Misconfigured Spring Boot Actuator to SharePoint Exfiltration: How Stolen Credentials Bypass MFA","datePublished":"2026-03-18T00:00:00+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\/"},"wordCount":532,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/sharepoint-976:Large?qlt=80","keywords":["Trend Micro Research : Articles, News, Reports","Trend Micro Research : Cyber Crime","Trend Micro Research : Endpoints","Trend Micro Research : Expert Perspective","Trend Micro Research : Investigations","Trend Micro Research : Research"],"articleSection":["TrendMicro"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\/","url":"https:\/\/www.threatshub.org\/blog\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\/","name":"From Misconfigured Spring Boot Actuator to SharePoint Exfiltration: How Stolen Credentials Bypass MFA 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\/#primaryimage"},"thumbnailUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/sharepoint-976:Large?qlt=80","datePublished":"2026-03-18T00:00:00+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\/#primaryimage","url":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/sharepoint-976:Large?qlt=80","contentUrl":"https:\/\/trendmicro.scene7.com\/is\/image\/trendmicro\/sharepoint-976:Large?qlt=80"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/from-misconfigured-spring-boot-actuator-to-sharepoint-exfiltration-how-stolen-credentials-bypass-mfa\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Trend Micro Research : Articles, News, Reports","item":"https:\/\/www.threatshub.org\/blog\/tag\/trend-micro-research-articles-news-reports\/"},{"@type":"ListItem","position":3,"name":"From Misconfigured Spring Boot Actuator to SharePoint Exfiltration: How Stolen Credentials Bypass MFA"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60336","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=60336"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/60336\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=60336"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=60336"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=60336"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}