Microsoft’s document sharing and collaboration platform, SharePoint, became the target of a major cyberattack that aimed to breach government agencies and businesses worldwide. “Active attack” alerts were issued after hackers were at risk of compromising nearly 100 global organisations and gaining access to their cryptographic keys. Notably, reports suggest that Microsoft was already aware of the vulnerability, which had been exposed during a hacking competition back in May.
Despite this, the tech giant failed to apply a critical security patch to its SharePoint software server. While the US National Nuclear Security Administration was among those breached, Bloomberg reported, no classified information has been known to be compromised.
1. What is the Microsoft SharePoint hack?
The vulnerability of the SharePoint server was first pointed out at a hacking competition in Berlin organised by a cybersecurity firm, Trend Micro. The event offered a cash prize for the discovery of such bugs in popular software. With a $100,000 bounty for “zero-day” exploits, a digital vulnerability that could be used against SharePoint was identified in the document management and collaboration platform’s server.
2. Who identified the SharePoint bug?
A researcher working for the cybersecurity arm of Viettel, a telecom firm operated by Vietnam’s military, identified the SharePoint bug in Berlin. It was later dubbed “ToolShell” and a method of exploiting it was later revealed.
3. What is a zero-day exploit?
A zero-day exploit is a type of cyberattack that targets a security flaw that was previously undiscovered, meaning developers have had no time, that is “zero days”, to create a patch or solution.
As explained by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the newly identified exploit impacting SharePoint is “a variant of the existing vulnerability CVE-2025-49706 and poses a risk to organizations with on-premise SharePoint servers.”
4. What followed the hackathon?
Trend Micro, in a statement, said that it was the responsibility of vendors participating in its competition to patch and disclose security flaws in “an effective and timely manner”. “Patches will occasionally fail. This has happened with SharePoint in the past,” the statement said.
5. What did Microsoft do?
Microsoft revealed on July 8 that the bug had been identified, had been listed as a technical vulnerability, and patches had been released to fix it. Nearly ten days later, it had been brought to the notice of cybersecurity firms the influx of malicious online activity, which targeted SharePoint, the bug sought to exploit and bypass the patches Microsoft introduced.
6. Who was held responsible?
As per a statement from Microsoft, Chinese hacking groups were identified as the reason behind the SharePoint hack. Earlier this month, Chinese nation-state actors “Linen Typhoon” and “Violet Typhoon” were held responsible by Microsoft, along with China’s Storm-2603.
Charles Carmakal, chief of the Google’s Mandiant cybersecurity consulting group, said in a LinkedIn post that “we assess that at least one of the actors responsible for the early exploitation is a China-nexus threat actor,” on Monday, July 21.
7. China’s response to SharePoint hack
Beijing’s routine denial came through after Mandiant’s revelations. In an emailed statement, the Chinese embassy in Washington stated that China opposed all forms of cyberattacks and opposed “smearing others without solid evidence”, said a Reuters report.
8. What is at risk?
EyeSecurity, reported AP, had scanned over 8000 SharePoint servers globally to discover that at least dozens of systems were compromised. The firm confirmed that the attacks likely started to impact on July 18. The vulnerability spanned across business and organisations but not Microsoft’s cloud-based SharePoint Online Services. Following the hack, Bloomberg reported that no sensitive or classified data appears to have been compromised, even though the National Nuclear Security Administration was also rumoured to be impacted.
9. Next steps after SharePoint hack
The vulnerability affects SharePoint server software, and Microsoft advises users to promptly patch their on-premises systems. While the full impact is still being evaluated, CISA has warned it could be significant and urged disconnecting affected servers from the internet until updates are applied.
10. Has this happened before?
In 2021, it was identified that attackers with the Chinese nation-state group, called Hafnium, had targeted another segment of the Office suite. Under the radar was Exchange Server, which provides mail and calendar services. In more recent times, Chinese hackers reportedly stole emails from the US ambassador to China and the US Commerce Secretary. A “cascade” of Microsoft security misfires were exploited, reported Politico.
