Microsoft SharePoint Zero-Day Attack: Critical Infrastructure Under Siege

Widespread Exploitation Targets Government and Corporate Networks

A sophisticated cyber espionage campaign has compromised approximately 100 organizations worldwide through a critical zero-day vulnerability in Microsoft SharePoint servers, with security researchers warning that the full scope of the attack may be far greater than initially detected.

The Discovery

The attack was first uncovered on Friday by Eye Security, a Netherlands-based cybersecurity firm, when they detected the compromise at one of their clients. Working alongside the Shadowserver Foundation, security researchers conducted an internet scan that revealed the alarming scale of the breach.

A sweeping cyber espionage operation targeting Microsoft server software has compromised about 100 different organisations over the weekend, according to findings announced Monday by the organizations that discovered the attack.

"It's unambiguous," said Vaisha Bernard, chief hacker at Eye Security. "Who knows what other adversaries have done since to place other backdoors."

The Microsoft GitHub Incident: A 38TB Data Breach Caused by Human Error

Introduction In a world where data breaches are becoming increasingly common, even tech giants like Microsoft are not immune. A recent incident involving an unintentional GitHub misstep by a Microsoft employee led to a massive 38TB data breach. This article delves into the details of the breach, the swift action

Breached CompanyBreached Company

Technical Details of the Vulnerability

The attack exploits what cybersecurity experts call a "zero-day" vulnerability – a previously unknown digital weakness that gives attackers a significant advantage. The vulnerability is described as an unauthenticated deserialization of untrusted data issue, and has a CVSS base score of 9.8 (Critical).

Multiple CVE identifiers have been assigned to related vulnerabilities in this attack chain:

• CVE-2025-53770, which Microsoft acknowledged in an advisory about active attacks targeting on-premises SharePoint Server customers
• CVE-2025-49704 and CVE-2025-49706, which when chained together allow an attacker to run arbitrary commands on vulnerable instances

This vulnerability affects on-premise Microsoft SharePoint servers, allowing unauthenticated attackers to gain full access and execute arbitrary code remotely. Critically, SharePoint instances run off of Microsoft servers were unaffected – only self-hosted, on-premises installations are vulnerable.

Attack Methodology

The attack essentially involves delivering ASPX payloads via PowerShell, which is then used to steal the SharePoint server's MachineKey configuration, including the ValidationKey and DecryptionKey, to maintain persistent access.

The hacks allow spies to penetrate vulnerable servers and potentially drop a backdoor to secure continuous access to victim organizations, creating a persistent foothold for long-term espionage operations.

Global Impact and Victims

The Shadowserver Foundation confirmed the 100 figure and said that most of those affected were in the United States and Germany and that the victims included government organisations. However, the true scale of the compromise may be significantly larger.

According to data from Shodan, a search engine that helps to identify internet-linked equipment, more than 8,000 servers online could theoretically have already been compromised by hackers. These potential targets include major industrial firms, banks, auditors, healthcare companies, and several US state-level and international government entities.

Daniel Card of British cybersecurity consultancy PwnDefend warned that "The SharePoint incident appears to have created a broad level of compromise across a range of servers globally".

ToolShell Unleashed: Critical SharePoint Zero-Day Compromises Global Infrastructure

Microsoft faces its most severe SharePoint security crisis as attackers exploit an unpatched vulnerability to compromise government agencies, businesses, and educational institutions worldwide. The Attack Unfolds On July 18, 2025, security researchers detected the beginning of what would become one of the most significant SharePoint attacks in recent memory. Eye

Breached CompanyBreached Company

Attribution: Chinese State-Sponsored Groups

Recent intelligence reveals the involvement of sophisticated nation-state actors. Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon, exploiting vulnerabilities targeting internet-facing SharePoint servers. In addition, they have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities.

This attribution aligns with the broader pattern of Chinese state-sponsored cyber operations targeting critical infrastructure and government systems, as seen in concurrent attacks on US nuclear facilities and Singapore's critical infrastructure.

Government Response and Investigation

Law enforcement agencies have launched investigations into the breach. The FBI said on Sunday it was aware of the attacks and was working closely with its federal and private-sector partners, but offered no other details. Britain's National Cyber Security Centre said in a statement that it was aware of "a limited number" of targets in the United Kingdom.

Security researchers have notified relevant national authorities about the affected organizations, though specific victim identities remain confidential for security reasons.

Microsoft's Response and Patches

Microsoft issued an alert about "active attacks" on self-hosted SharePoint servers on Saturday. A Microsoft spokesperson said in an emailed statement that it had "provided security updates and encourages customers to install them".

However, the patching situation remains complex. Microsoft acknowledged that vulnerabilities were only partially addressed by the July 8, 2025 security update, and despite public guidance from Microsoft and an alert from CISA, a full security patch is not yet available.

Market Impact and Broader Implications

The cyberattack has had minimal immediate impact on Microsoft's stock performance. On Wall Street, Microsoft's stock is about even with the market open, up by only 0.06 percent, and has gone up more than 1.5 percent over the last five days of trading.

However, the security implications are far more significant. Rafe Pilling, director of threat intelligence at Sophos, noted that while the spying initially appeared to be the work of a single hacker or set of hackers, "It's possible that this will quickly change" as knowledge of the vulnerability spreads.

Recommendations for Organizations

Cybersecurity experts emphasize that simply applying patches may not be sufficient. Card from PwnDefend advised that "Taking an assumed breach approach is wise, and it's also important to understand that just applying the patch isn't all that is required here".

Organizations running on-premises SharePoint servers should:

• Immediately apply available security updates
• Conduct thorough security assessments to identify potential compromises
• Implement additional monitoring and access controls
• Consider migrating to cloud-hosted SharePoint solutions where possible
• Review network logs for indicators of compromise

Looking Forward

This incident represents a significant escalation in the sophistication and scale of nation-state cyber operations targeting critical infrastructure. The combination of zero-day vulnerabilities, widespread deployment of the targeted software, and the involvement of multiple Chinese state-sponsored groups creates a perfect storm for large-scale espionage operations.

The attack underscores the ongoing vulnerability of on-premises enterprise software to sophisticated nation-state actors and highlights the critical importance of rapid patch deployment and comprehensive cybersecurity monitoring for organizations operating critical infrastructure systems.

As investigations continue and the full scope of the compromise becomes clearer, this incident will likely serve as a watershed moment for how organizations approach the security of their collaboration and document-sharing platforms.