Microsoft is warning organizations about active exploitation of on-premises SharePoint servers by the Storm-2603 group. Hackers are deploying Warlock ransomware after breaching vulnerable systems, demanding cryptocurrency payments. SharePoint Online is unaffected, but on-premises versions require patching. Microsoft advises enabling AMSI, deploying Defender AV, and monitoring for suspicious activity to protect against these attacks.