Hackers Tear Through Microsoft SharePoint
Weekend breach spreads across government and industry
A worldwide investigation is under way after cyber‑intruders slipped through a brand‑new hole in Microsoft’s SharePoint Server, hijacking critical systems at government offices, universities, energy suppliers and at least one Asian telecommunications carrier. Authorities in the United States, Canada and Australia confirmed they are pooling resources to trace the source of the attacks and to help victims contain the damage. The break‑ins came to light late last week when Microsoft sounded an emergency alert, warning that “active attacks” were striking on‑premises SharePoint deployments.
How the attackers got in
Security researchers at Dutch firm Eye Security were the first to spot the intrusion pattern on the evening of 18 July. They uncovered a previously unseen remote‑code‑execution route—later assigned CVE‑2025‑53770 and CVE‑2025‑53771—that allowed outsiders to run their own commands on vulnerable servers without a password. By abusing the way SharePoint handles deserialised data, the hackers could lift machine keys, impersonate real users and jump into connected Microsoft services such as Outlook, Teams and OneDrive even after the affected server had been rebooted or partly patched.
On‑premises servers in the cross‑hairs
Only organisations that still host SharePoint on their own hardware were exposed; Microsoft 365’s cloud version was not affected. Even so, telemetry collected by investigators shows more than 400 breached networks worldwide, including the U.S. National Nuclear Security Administration, several state capitals and multiple power producers. Industry analysts have called it one of the most severe server‑level breaches in recent memory because SharePoint often sits at the heart of a company’s internal file‑sharing system, giving attackers a convenient springboard into wider corporate networks.
Patches arrive — but administrators race the clock
Microsoft rushed out emergency fixes on 20 July for SharePoint Subscription Edition and the 2019 release, urging customers to “apply them immediately.”msrc.microsoft.com A patch for SharePoint 2016 followed two days later after administrators complained of being left exposed, and Redmond has told customers to rotate any server machine keys that might have leaked during the attacks. While the code updates close the initial front door, security teams are being told to hunt for back‑doors, unexpected administrator accounts and suspicious outbound data flows that could indicate lingering attacker presence.
Possible Chinese link under scrutiny
Although the joint U.S.–Canada–Australia task force has not publicly blamed any group, Microsoft’s threat‑intelligence unit says it has tracked three China‑based actors—Linen Typhoon, Violet Typhoon and Storm‑2603—testing and deploying the exploit since early July.Beijing has denied any involvement, calling the accusations “groundless.” Investigators are now combing through forensic data from dozens of compromised environments to determine whether the same hands were behind every break‑in or if copy‑cats have joined the fray.
What organisations should do now
Cyber‑security specialists warn that every organisation running an on‑premises SharePoint Server should assume compromise if the system was online between 7 and 22 July. They recommend installing the latest security updates without delay, scanning logs for unusual behaviour and isolating any server that shows unexplained spikes in activity. The U.S. Cybersecurity and Infrastructure Security Agency has already ordered federal departments to complete patching and key rotation within 72 hours, while Canadian and Australian counterparts are preparing similar directives. SOURCE: Canadian Centre for Cyber Security
The incident is the third major zero‑day campaign to hit Microsoft enterprise software this year and adds fresh pressure on the company to strengthen security for its on‑premises products. Lawmakers on Capitol Hill have scheduled a hearing for next month to quiz executives about Microsoft’s vulnerability‑management strategy. For administrators on the front lines, the immediate priority is clear: patch, audit and keep a close eye on every connection that touches SharePoint until the wider investigation reveals exactly how far the attackers have roamed.