WASHINGTON – A sweeping cyber-espionage operation exploiting a previously undisclosed zero-day flaw in on-premises Microsoft SharePoint servers has compromised around 100 organisations globally, according to cybersecurity firms Eye Security and the Shadowserver Foundation.
The breach affects self-hosted versions of SharePoint, widely used by enterprises and government agencies, but not Microsoft cloud-based services such as SharePoint Online. The attack campaign, traced to around July 18, allowed intruders to gain continuous access, implant backdoors, and potentially exploit sensitive internal networks.
Targeted organisations are primarily based in the United States and Germany, including a significant U.S. federal agency, the National Nuclear Security Administration (NNSA), though no classified data is believed to have been accessed.
Microsoft publicly attributed the campaign to at least three China-linked threat actors—code-named Linen Typhoon, Violet Typhoon, and Storm-2603—though Beijing has denied involvement.
This exploit stems from a vulnerability first identified during a Berlin hacking competition in May, where the researcher disclosed the issue publicly. Microsoft issued an initial patch, but it proved ineffective; a follow-up update was deployed later, requiring affected organisations to rotate cryptographic keys and apply additional countermeasures.
By July 23, the breach had expanded to approximately 400 compromised systems, and Microsoft confirmed the involvement of ransomware-laying groups—most notably the Warlock gang—signalling a shift from espionage to potential disruption.
Security experts warn that tens of thousands of unpatched SharePoint servers remain online and at risk. Up to 8,000 servers may still be vulnerable globally, and additional hacker groups are expected to exploit the flaw in coming months.
Microsoft has urged customers to install emergency patches, implement endpoint protection tools, rotate exposed credentials, restart servers, and use antimalware safeguards such as AMSI and Microsoft Defender. National bodies—including the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI—are coordinating incident response efforts.
Critics argue the incident underscores long-standing weaknesses in Microsoft’s security lifecycle, especially for legacy, on-premises software, and raises concerns about broader national infrastructure dependency on a single vendor.
