Hackers exploit Microsoft SharePoint flaw in global attacks, prompting urgent security response

Microsoft scrambled to issue emergency fixes after unknown attackers used a “significant” flaw in SharePoint Server to breach government agencies, businesses, and other organizations worldwide . The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed active attacks on on-premises SharePoint systems and warned that tens of thousands of servers could be at risk . Microsoft alerted customers over the weekend to install security updates immediately, noting that its SharePoint Online cloud service was not affected by this on-premises vulnerability . U.S. officials, including the FBI, are investigating the incident as Microsoft coordinates with federal cyber defense agencies in response .

Governments and businesses among the victims

The scope of the breach is broad, with confirmed targets spanning multiple sectors and countries. In the United States, at least two federal agencies were reportedly compromised, including the Department of Education, alongside state-level victims like Florida’s Department of Revenue and the Rhode Island General Assembly . The hackers also breached a U.S.-based health care provider and attempted intrusions at a public university in Southeast Asia . Officials say national government networks in parts of Europe and the Middle East have been affected as well . Cybersecurity researchers estimate roughly 100 organizations have been hit so far in this campaign , with vulnerable SharePoint servers identified across the Americas, Europe, Africa, and Asia-Pacific .

“This is a high-severity, high-urgency threat,” warned Michael Sikorski, CTO of Palo Alto Networks’ Unit 42. “What makes this especially concerning is SharePoint’s deep integration with Microsoft’s platform … A compromise doesn’t stay contained—it opens the door to the entire network.” Indeed, Microsoft’s SharePoint is used by countless businesses and institutions to store and collaborate on internal documents . By exploiting this single vulnerability, attackers could potentially access not only the organizations’ SharePoint files, but also connected services like Office, Teams, OneDrive, and Outlook that hold valuable data . The incident has put Microsoft under renewed scrutiny for its enterprise software security, coming on the heels of other high-profile cyberattacks in recent years . Microsoft says it is working closely with security agencies and customers to contain the threat while bolstering defenses going forward.

Technical breakdown: how the breach happened

Technical details – Note for non-technical readers: The following section explains how the SharePoint breach occurred, including the mechanics of the exploit and attacker methods. Feel free to skip ahead to the next section for key takeaways and safety tips.

At the heart of this incident is a zero-day vulnerability (an unpatched, previously unknown flaw) in Microsoft SharePoint Server. The exploit has been nicknamed “ToolShell” by researchers , and it is formally tracked as CVE-2025-53770 (with a related variant CVE-2025-53771). This security hole allows an unauthenticated attacker to remotely execute code on a SharePoint server – effectively granting them full access to the server’s files and privileges . In technical terms, the attackers found a way to bypass SharePoint’s authentication and abuse a standard web endpoint (the SharePoint ToolPane.aspx component) via a crafted HTTP request . This gives the hacker a foothold to upload a malicious web shell (a hidden script) onto the server without needing any valid user credentials . Once the web shell (often named “spinstall0.aspx” or a similar variant) is planted, the attacker can send commands to the server remotely, as if they were an administrator .

One of the first things the attackers have been observed doing with this access is stealing the server’s cryptographic keys . In particular, they target the SharePoint ASP.NET machine key – a secret key that the server uses for encryption and authentication tokens. By extracting this key, the hackers can impersonate users or services on the compromised server, even after the original software flaw is patched . In other words, they could generate valid session cookies or signed tokens to maintain persistence in the network. Security analysts warned that the attackers also harvested other credentials from some breached systems (such as usernames, password hashes, and authentication tokens) to further deepen their access . If organizations only apply the software patch but do not change these keys and passwords, the intruders could secretly remain in control via their backdoors.

The SharePoint exploit chain in this case was sophisticated but quick to spread. According to Eye Security (the firm that first spotted the attacks), malicious activity against SharePoint servers spiked on July 18, 2025, when hackers launched waves of attacks scanning for vulnerable servers . Within a day of discovery, Microsoft rushed out an initial security update for supported SharePoint editions on July 20–21, and by July 22 patches for all supported versions (2016, 2019, and Subscription Edition) were made available . However, the situation was complex: this “new” zero-day turned out to be a variant of an earlier SharePoint vulnerability from earlier in the year (CVE-2025-49704/49706), which hackers found a way to exploit despite Microsoft’s prior patch . In fact, security researchers revealed that the ToolShell flaw had been first identified by academics in May 2025, and Microsoft’s July Patch Tuesday updates attempted to fix it – but attackers discovered workarounds to those fixes, leading to this emergency . “There were ways around the patches,” explained Vaisha Bernard of Eye Security, noting that the attackers tapped into similar code weaknesses to evade the initial mitigation .

Multiple threat groups seized on the opportunity to use the SharePoint exploit. Google’s Mandiant unit attributed part of the campaign to a state-linked Chinese hacking group, among what appears to be a mix of actors all leveraging the same flaw . Microsoft’s own investigation later confirmed this: the company observed at least three distinct clusters of attackers exploiting the SharePoint hole, including two Chinese state-sponsored groups (codenamed Linen Typhoon and Violet Typhoon) and another China-based hacker group dubbed Storm-2603 . These adversaries primarily seek espionage and data theft, and have histories of scanning for internet-exposed systems to drop web shells for long-term access . Additionally, once the exploit technique became public (a proof-of-concept attack script was posted online), financially motivated cybercriminals also began adopting it to compromise any unpatched servers en masse . This is why authorities described the attacks as “not targeted” – the attackers were broadly sweeping for vulnerable SharePoint sites rather than picking specific victims . Reports indicate the hackers launched multiple waves and may have compromised dozens of servers within days of the flaw’s disclosure . Some of the groups involved have even been linked to ransomware operations in the past, raising concerns that the breach of these servers could be a precursor to data extortion or encryption attacks down the line .

Key lessons and security tips

In the wake of this incident, cybersecurity experts are urging both organizations and individuals to learn from the attack and strengthen their defenses. Here are the key lessons and actionable security tips emerging from the SharePoint breach:

• Apply critical updates immediately: A clear lesson is the importance of prompt patching. Microsoft released emergency fixes to fully protect supported SharePoint versions , and organizations should not delay in installing these. When a major vendor issues an out-of-band security update due to active attacks, treat it with the highest urgency. Many victims in this campaign were breached before they could patch, underscoring how even a few days’ delay can be costly.
• Upgrade or isolate legacy systems: The attacks only impacted on-premises SharePoint servers, especially those that were outdated or unpatched . Older editions like SharePoint 2010 and 2013 will not receive any patch for this vulnerability , leaving them permanently exposed. Organizations running unsupported software should upgrade to supported versions or, if upgrades aren’t possible, isolate or decommission those systems. Relying on end-of-life software for critical functions creates an easy target for attackers.
• Enable recommended security features: Microsoft and CISA have advised enabling the Antimalware Scan Interface (AMSI) and running up-to-date antivirus tools on SharePoint servers . In this case, AMSI (when configured in “Full” scanning mode) can detect the malicious web shell code and block the exploit before it runs . Ensure that your security software is active and that any available exploit protection or intrusion prevention features are turned on. Defense-in-depth measures can prevent a single vulnerability from leading to total compromise.
• Monitor logs and network traffic for anomalies: The SharePoint hack was often signaled by unusual patterns, such as unexpected HTTP POST requests to the SharePoint _layouts/15/ToolPane.aspx page from odd IP addresses . System administrators should actively monitor server logs and network traffic for any strange or unauthorized attempts to access admin pages or upload files. CISA has even recommended scanning for specific attacker IPs and indicators (for example, file names like “spinstall.aspx”) that were tied to this attack . Early detection of suspicious activity can dramatically reduce the damage from an intrusion.
• Rotate keys and credentials after a breach: Simply applying a patch will not eject an attacker who has already established a backdoor. In this incident, hackers stole machine keys and account credentials from SharePoint servers to maintain persistence . Organizations that suspect they were compromised (or want to be safe post-patch) should rotate all passwords, API tokens, and encryption keys associated with the affected system . Microsoft specifically advises regenerating the SharePoint machine key and restarting the server after applying the update . This helps ensure that any stolen authentication material is rendered useless to the attacker. It’s also wise to look for any unauthorized user accounts or scheduled tasks that the hackers may have added and remove them.
• Consider cloud-managed services when feasible: One notable aspect of this case is that Microsoft’s cloud-hosted SharePoint Online was not impacted – only customers running their own servers were vulnerable . Cloud services are not immune to bugs, but providers can often patch or mitigate issues faster at scale. Organizations without dedicated IT security teams might weigh the benefits of using cloud software (where security updates are handled by the provider) versus self-hosting critical applications. At minimum, ensure on-premises systems are behind firewalls or VPNs if they must be exposed, and keep them rigorously maintained.
• For individual users: While this SharePoint incident chiefly affects organizations, it’s a reminder that cybersecurity is everyone’s responsibility. If you use services provided by an employer or a school, stay alert for any breach notifications or required password resets in the aftermath of such attacks. It’s good practice to maintain strong, unique passwords and enable multi-factor authentication on your accounts, so that even if one system is compromised, attackers cannot easily reuse your credentials elsewhere. Finally, keep your personal devices and software updated – many cyberattacks (whether on companies or consumers) succeed by exploiting unpatched flaws. Staying informed about major security news like this and following guidance from trusted sources (such as official Microsoft security advisories or CISA alerts) can help you react quickly when threats emerge.

The Microsoft SharePoint breach of July 2025 serves as a stark example of how a single vulnerability in widely used software can ripple across the globe. A concerted response – from Microsoft’s rapid patching to organizations’ diligent mitigation and users’ vigilance – is crucial to minimize the damage. In cybersecurity, speed and preparedness matter: those who patched immediately and followed best practices were far better protected when the hackers came knocking. By learning from this incident and implementing the recommended safeguards, organizations and individuals alike can strengthen their defenses against the next cyber threat. The SharePoint attack is a wake-up call, but with the right lessons learned, it can also be an opportunity to improve resilience and security awareness going forward.