A wave of cyberattacks linked to Chinese state-sponsored hackers recently targeted vulnerable Microsoft SharePoint servers and affected several U.S. government agencies, Microsoft announced in a blog post.
The cyberattacks, dated back to early July 2025, leveraged a set of zero-day vulnerabilities that were brought to fore and highlighted in the Microsoft July 2025 Patch Tuesday Update. The hackers used these zero-day vulnerabilities to gain access to sensitive systems and deploy malicious software.
How the cyberattacks went down
Microsoft revealed in a detailed blog post that sophisticated hacking groups, identified as Linen Typhoon, Violet Typhoon, and Storm-2603, were behind the cyberattack campaign. These groups have always had a history of targeting organizations involved in government defense, strategic planning, and human rights, often for purposes of espionage and data theft, according to Microsoft.
The attacks targeted on-premises SharePoint servers, as the hackers exploited several critical vulnerabilities such as:
- CVE-2025-49704 (SharePoint RCE): A remote code execution flaw that allows attackers to run malicious software on the server
- CVE-2025-49706 (SharePoint Post-auth RCE): An authentication bypass that enables attackers to masquerade as legitimate users
- CVE-2025-53770 (SharePoint ToolShell Auth Bypass and RCE) & CVE-2025-53771 (SharePoint ToolShell Path Traversal): Additional flaws that allowed attackers to sidestep previously issued security fixes.
According to Microsoft, the attack started with the hackers sending crafted POST requests to a SharePoint server known as ToolPane, and subsequently uploaded a malicious script named spinstall0.aspx. This gave the hackers remote control over the compromised servers and allowed them to hijack and retrieve the MachineKey data which, in turn, enabled “the theft of the key material by threat actors.”
Specifically, the cybercriminal group identified as Storm-2603 was reported to leverage compromised access to deploy “Warlock” ransomware, therefore encrypting files in target environments and further escalating the crisis.
Incident Response and Mitigation
After the cyberattack was noticed, Microsoft moved quickly by rolling out emergency security updates for all supported on-premises versions of SharePoint. The company, alongside the U.S. Cybersecurity and Infrastructure Security Agency (CISA), also provided guidance for organizations to contain and remediate the attacks. Some of these recommendations or guidelines include:
- Apply security updates immediately: All organizations using on-premises SharePoint were advised to apply Microsoft’s latest patches
- Enable security features: Activate the Antimalware Scan Interface (AMSI) in SharePoint and ensure Defender Antivirus is running
- Rotate MachineKeys: After patching, refresh cryptographic MachineKeys to disrupt persistent attacker access
- Restart Internet Information Services (IIS): A full server restart is needed to ensure all new settings take effect
- Enhance monitoring and detection: Use endpoint detection and response (EDR) tools to spot and respond to any further attacks.
- Incident response: Organizations are urged to review logs for malicious file uploads and suspicious activity, and to follow Microsoft’s threat hunting queries for identifying compromised systems.
Federal Agencies caught in the crosshairs
The attack campaign affected multiple U.S. federal agencies. While officials have stated there is no evidence that classified information was stolen, the breach still disrupted operations across key entities, including parts of the Department of Homeland Security and the National Nuclear Security Administration.
Globally, over 400 organizations were affected, including European and Middle Eastern government bodies, universities, and companies in sectors such as energy and finance. According to Microsoft, roughly 20% of observed SharePoint environments were exposed to these vulnerabilities at the height of the attack, with more than 1,100 servers identified as unpatched or at risk.
The SharePoint zero-day exploits show the evolving sophistication of cyber threats, especially with countries sponsoring threat actors to attack a rival. It also highlights the high stakes for organizations and national agencies managing and dealing with sensitive data.
As usual, regular updates, strong incident response strategies, and the use of advanced security solutions remain the best defenses against these ever-changing attacks.
