Microsoft faces active exploitation of on-premises SharePoint servers by Storm-2603, simultaneous with a second unattributed actor operating inside the same compromised environments using DLL sideloading and custom backdoors. Separately, the ClickOnce deployment framework is being weaponized for privilegeless, self-updating persistence on standard Windows endpoints without requiring any CVE or elevated rights. Both attack paths exploit legitimate Microsoft infrastructure and processes, making detection non-trivial and patch-only remediation insufficient.