Microsoft SharePoint Under Cyberattack: China-Based Hackers Linked to Ongoing Exploits

Microsoft SharePoint Under Cyberattack

Microsoft confirmed on Tuesday that several China-linked hacking groups have been exploiting critical vulnerabilities in its SharePoint Server, a popular on-premises collaboration platform used by enterprises and government agencies worldwide. The attacks began in early July and have targeted numerous high-value systems, raising global concern over the growing cybersecurity risks tied to nation-state cyber operations.

The hacking activity, which Microsoft attributes to three distinct Chinese threat actors, has prompted urgent patch rollouts, government alerts, and increased scrutiny over Microsoft’s global security infrastructure.

Who Is Behind the Attack?

Microsoft has identified three China-based groups actively exploiting the vulnerability:

  1. Linen Typhoon (APT27) – A nation-state group long associated with cyber-espionage and targeting of government and corporate networks.

  2. Violet Typhoon (APT31) – Another advanced persistent threat (APT) actor with a history of operations focused on intelligence gathering.

  3. Storm-2603 – A less-known but highly active group originating from China, also involved in the current exploit wave.

All three actors are believed to have worked independently or in parallel to take advantage of a zero-day vulnerability affecting multiple SharePoint versions. These groups are known for sophisticated intrusion methods and stealthy persistence techniques, often leveraging stolen credentials and legitimate system tools to evade detection.

Timeline of the Attacks

The earliest evidence of exploitation traces back to July 7, 2025, when Microsoft’s threat intelligence teams first detected irregular behavior linked to SharePoint Server deployments. The attackers reportedly focused on on-premises SharePoint installations, not the cloud-based Microsoft 365 versions. Exploits occurred against:

  • SharePoint Server 2016

  • SharePoint Server 2019

  • SharePoint Subscription Edition

Initially, the attackers used a previously disclosed exploit chain known as ToolShell, which was made public in May 2025. They adapted this known technique to exploit two new vulnerabilities—later catalogued as CVE-2025-53770 and CVE-2025-53771—allowing remote code execution and unauthorized access.

How the Exploit Works

The attackers leveraged these vulnerabilities to upload malicious payloads—most notably, a custom web shell named spinstall0.aspx—onto SharePoint servers. Once installed, the web shell allowed attackers to execute arbitrary code and extract sensitive data.

Crucially, the attackers focused on accessing and exfiltrating ASP.NET machine keys used by SharePoint. These cryptographic keys are vital in authenticating users and applications. By stealing them, the attackers could forge authentication tokens, granting themselves administrative access without triggering alerts.

Even systems configured in load-balanced environments were vulnerable, as the machine keys are often shared across multiple servers. This allowed persistent, distributed access and made mitigation more challenging.

In more advanced cases, threat actors also deployed in-memory modules that did not leave any trace on the hard drive. These stealthy tactics bypassed traditional antivirus tools and made incident response far more complex.

A Growing List of Victims

Although the full extent of the breach is still under investigation, cybersecurity consultants and Microsoft’s own threat intelligence suggest that at least 50 organizations have been impacted. These include:

  • U.S. federal agencies

  • Military subcontractors

  • Energy sector firms

  • Educational institutions

  • Several state and local government entities

Security teams discovered that some compromised SharePoint instances were being used as launchpads for lateral movement, enabling attackers to pivot into email systems, internal databases, and critical enterprise applications.

Organizations running outdated or unpatched SharePoint versions were especially vulnerable. In several cases, forensic analysis found evidence of data tampering, credentials harvesting, and deployment of secondary malware loaders.

Microsoft’s Response: Patches and Recommendations

Microsoft responded by releasing emergency patches:

  • Patches for SharePoint Server 2016 and 2019 were released on Sunday, July 21

  • A patch for SharePoint Subscription Edition followed on Monday, July 22

In addition to the patches, Microsoft urged all organizations using on-premises SharePoint to:

  • Immediately apply the latest updates

  • Rotate all cryptographic machine keys and authentication tokens

  • Check logs and files for evidence of web shells and unauthorized access

  • Deploy endpoint detection tools capable of identifying in-memory threats

Microsoft emphasized that simply patching the system is not enough. Once machine keys are compromised, attackers can maintain access even if the software is updated. Key rotation and forensic reviews are essential to ensure complete remediation.

U.S. Government Agencies Take Action

U.S. Government Agencies Take Action

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) responded swiftly by adding CVE-2025-53770 to its Known Exploited Vulnerabilities (KEV) catalog. CISA also issued a binding operational directive requiring all federal civilian agencies to patch the vulnerability by July 24, 2025.

The directive was based on evidence that multiple federal networks were already compromised before patches were available. CISA warned that this exploit could allow attackers to bypass authentication, steal sensitive documents, or gain long-term control over internal systems.

Security Experts Raise Alarms

Cybersecurity firms such as Mandiant, now owned by Google, assessed that at least one of the groups exploiting the vulnerability had direct ties to China’s intelligence apparatus. While Microsoft did not name the Chinese government as being directly responsible, security experts widely consider these groups to operate with at least implicit support from state agencies.

This latest incident follows a series of breaches involving Chinese actors targeting Microsoft technologies. In 2021, the Hafnium group (also China-linked) exploited vulnerabilities in Microsoft Exchange Server, gaining access to email communications in thousands of networks globally. More recently, Microsoft faced backlash after Chinese hackers breached U.S. government email accounts in 2023—a failure that drew criticism from federal oversight bodies.

Internal Security Measures at Microsoft Under Scrutiny

The SharePoint exploit comes at a time when Microsoft is under growing pressure to improve its internal security operations. In early July, the company announced that it would no longer rely on engineers based in China for certain sensitive work, including Pentagon-related cloud services. This decision followed media reports suggesting that global infrastructure supported by Chinese personnel could present supply chain and insider threats to U.S. national security.

Microsoft CEO Satya Nadella previously committed to making cybersecurity a top company priority, especially after critical government reports questioned the company’s handling of past attacks.

Despite this pledge, the current incident raises questions about Microsoft’s vulnerability response timelines, incident communication, and the reliance on legacy on-premise software still widely deployed in enterprise environments.

Urgent Recommendations for Organizations

Security experts are advising all organizations running SharePoint to treat this vulnerability as a severe and active threat. Recommended actions include:

  1. Apply Microsoft’s latest security updates immediately.

  2. Conduct a full audit of machine keys and security tokens.

  3. Inspect for web shells like spinstall0.aspx and delete them.

  4. Run memory analysis tools to detect hidden modules.

  5. Isolate compromised servers from the network until they are fully cleaned.

  6. Engage professional cybersecurity teams to conduct forensic investigations.

Organizations should also consider accelerating migration from legacy on-premise systems to cloud-based, actively managed solutions where patching and monitoring are more streamlined.

A Wake-Up Call for Enterprise Security

The exploitation of Microsoft SharePoint by Chinese hacking groups illustrates the ongoing challenge of securing critical infrastructure software. As threat actors become more advanced, vulnerabilities in enterprise platforms like SharePoint represent high-value targets for espionage, intellectual property theft, and data manipulation.

This incident reinforces the urgent need for proactive patching, zero-trust architecture, and continuous threat monitoring. For both private and public organizations, the attacks serve as a stark reminder that security is only as strong as the weakest link in the digital chain.

As investigations continue and the list of victims grows, Microsoft and its customers face a difficult period of response, recovery, and restructuring of their cybersecurity strategies.


Subscribe to Our Newsletter

Related Articles

Top Trending

Project-Based Learning Tech for kids
Project-Based Learning Tech: A Practical Guide for Kids, Homeschool, and Hands-On Learning
Why Brazil Has Only 3 World Cup Trophies
Why Does Brazil Have Only 3 World Cup Trophies Despite Winning 5 Times?
Reducing Fashion Waste
Reducing Fashion Waste: How to Fix, Clean, and Preserve Your Wardrobe
Realistic workspace showing a large screen with a Pillar and Cluster Content Model diagram for SEO content planning.
Pillar and Cluster Content Model: SEO Topic Hubs Explained
Bes Technical SEO Startup for Fintech in United Arab Emirates
10 Bes Startup Technical SEO Agencies for Fintech in United Arab Emirates

Fintech & Finance

Tracking Small-Cap Stocks on Fintechzoom.com Russell 2000
Fintechzoom.com Russell 2000: The Complete Guide to Tracking Small-Cap Stocks in 2026
Organizational Bottlenecks and How to Address Them
10 Organizational Bottlenecks: Here’s How to Address Them
Why more Indians are Taking a Rs 50000 Personal Loan for Emergencies and Short-term Needs
Why more Indians are Taking a Rs 50000 Personal Loan for Emergencies and Short-term Needs
Founder comparing the Best Accounting Tools for Founders on a startup finance dashboard
9 Best Accounting Tools for Founders to Keep Startup Finances Clean
Rise of SpaceX Stock Price
The Rise of SpaceX Stock Price: Understanding the Factors Driving Market Interest 

Sustainability & Living

Reducing Fashion Waste
Reducing Fashion Waste: How to Fix, Clean, and Preserve Your Wardrobe
Finnish MaaS Platforms
5 Finnish MaaS Platforms Redefining Global Public Transit Integration
Recyclable symbol meaningless
The Recyclable Symbol Has Lost All Meaning: The Chasing Arrows Lie
plastic-free bathroom
Plastic-Free Bathroom Routine: A Practical Way to Cut Waste Without Making Your Life Harder
transportation choices that lower emissions
7 Transportation Choices That Lower Emissions Without Making Daily Life Impossible

GAMING

why AAA games look the same
Why AAA Games Look the Same Even When They Cost More Than Ever
Foullrop85j.08.47h Gaming
Foullrop85j.08.47h Gaming: What It Really Is and Why You Should Be Skeptical
Live Service Killed Creativity
Live Service Killed Creativity, and the Industry Knows It
AI-Powered Playtesting
Top 10 Gaming SMEs and Startups Specializing in AI-Powered Playtesting in the United States
Best Gaming Communities
25 Gaming Communities and Platforms You Must Join Today

Business & Marketing

best templates founders
11 Best Templates Founders Need to Build Smarter
Promotional talent live events
How Promotional Talent Helps Brands Make an Impact at Live Events
Organizational Bottlenecks and How to Address Them
10 Organizational Bottlenecks: Here’s How to Address Them
best accelerator programs
8 Best Accelerator Programs: A Practical Founder’s Guide to Funding and Strategic Fit
best startup blogs
The 10 Best Startup Blogs: A Practical Guide for New Founders

Technology & AI

How to Make Consistent Characters in AI Image Generators
How to Make Consistent Characters in AI Image Generators [Complete Workflow]
best templates founders
11 Best Templates Founders Need to Build Smarter
Community-Building SaaS Tactics
7 Community-Building Tactics for SaaS
referral tactics SaaS
8 Referral Tactics for SaaS Teams That Want Better Word-of-Mouth Growth
AI Voiceover Platforms
7 Best AI Voiceover Platforms Worth Using: The Ultimate Guide

Fitness & Wellness

Stretching Accessories That Make a Difference
7 Stretching Accessories That Make a Difference for Flexibility, Mobility, and Recovery
air quality wellness devices
13 Air Quality and Wellness Devices Worth Considering for a Healthier Home
habits reduce stress
7 Habits That Reduce Stress Long Term and Feel Calmer Daily
habits better focus
11 Habits for Better Focus That Actually Work
meditation aids tools
11 Meditation Aids and Tools That Support Daily Calm