Table of Contents
Highlights
- SharePoint vulnerabilities exploited by China-based groups like Linen Typhoon and Storm-2603 for espionage and data theft.
- ToolShell zero-day exploit chain used in SharePoint vulnerabilities to achieve remote code execution and persistent access.
- Microsoft issues emergency patches to fix SharePoint vulnerabilities and urges immediate updates to prevent further exploitation.
One of the exemplary revelations indicating the ever-evolving state-sponsored cyberattacks, Microsoft has accused Chinese threat actors of actively exploiting several critical vulnerabilities in its on-premises SharePoint Server software. Announced in its latest update on July 22, a Microsoft blog post by the company revealed this, sending shockwaves across the global cybersecurity community and galvanizing intense, varied responses from governments, enterprises, and researchers alike.
The target exploitation, which began happening as early as July 7, 2025, has affected at least 100 organizations across the globe, including several U.S. federal agencies. According to Microsoft, three China-based groups are responsible for the intrusions: Linen Typhoon, Violet Typhoon, and Storm-2603, all of which are reputed for highly sophisticated espionage and data-theft operations.
The Vulnerabilities and the Exploitation Chain
Hackers exploited a previously unknown group of vulnerabilities in SharePoint Server, known as “ToolShell”—a zero-day exploit chain first demonstrated and publicized at the Pwn2Own hacking competition in Berlin in May 2025.
The attack method, as reported by Microsoft and security analysts, was stealthy and highly technical. The malicious actors exploited cleverly crafted HTTP requests to perform remote code execution on unpatched SharePoint instances.
Once the actors had entered, they moved quickly to harvest machine keys—necessary cryptographic credentials used to authenticate and encrypt communications between Microsoft services. These keys allowed the intruders to deploy web shells, maintain persistent access, and possibly carry out secondary attacks, such as ransomware or data exfiltration.
The stolen keys gave attackers the ability to forge tokens, thereby providing them with administrative-level privileges over compromised systems. Having stated this, the security authorities observed that if such an attack remains unaccounted for, it would give the attackers several months or years to stay concealed.
Chinese State-Sponsored Attribution
Microsoft’s bold attribution to China was backed by forensic evidence and patterns associated with known Chinese advanced persistent threat (APT) groups. Linen Typhoon and Violet Typhoon have previously been attributed to China’s Ministry of State Security and have an utterly long history of cyber espionage targeting government agencies, defense contractors, and critical infrastructure sectors.
Moreover, Microsoft’s threat intelligence unit, Mandiant, independently confirmed the findings, stating that “at least one China-backed group was involved,” and warned that ToolShell has been increasingly used by other threat actors in the wild.
The use of Chinese IP addresses, the nature of the targets, and the strategic interest in cryptographic keys correlate closely with prior Chinese cyber operations, including Worldwide Long-Term Espionage and Intellectual Property/theft activities, rather than immediate financial gain.
Global Impact and Scope
The scope of this breach is enormous. According to Politico and other media outlets, U.S. federal systems were among those compromised, though reportedly not any classified ones. The agencies involved in mitigation and forensic recovery attempts include the Department of Homeland Security and the Department of Defense’s Cyber Command.
Internationally, some private-sector entities in defense, technology, and energy sectors were reporting potential intrusions. The CISA (Cybersecurity and Infrastructure Security Agency) has advised all SharePoint Server users to assume a compromised system and to perform a complete incident response.
Microsoft’s Response and Emergency Patches
Microsoft issued emergency security patches from July 19 to 21 for several versions of SharePoint Server, including 2016, 2019, and the Subscription Edition. The company published detailed guidance, recommending:
- Immediate installation of security updates
- Rotation of machine keys
- Disabling of internet-exposed SharePoint instances
- Deployment of Microsoft Defender Antivirus and Antimalware Scan Interface (AMSI) for detection
- Use of network segmentation and log analysis to trace lateral movement
Despite this, critics pointed out that Microsoft had been aware of the vulnerability since at least May 2025 but only released a patch after detecting active exploitation. According to Reuters, Microsoft’s initial fix was bypassed, allowing attackers to continue their operations unnoticed.
A Pattern of Delays and Missteps?
This incident reflects Microsoft’s past issues with timely patching and managing vulnerabilities. In 2021, Chinese hackers exploited flaws in Microsoft Exchange Server in a similarly large-scale attack. In that case, Microsoft faced criticism for delayed announcements and inadequate patch coverage.
The SharePoint breach raises familiar questions: Why wasn’t a known Pwn2Own exploit patched in advance? Could better internal testing or transparency have reduced the damage? Critics argue that Microsoft’s focus on cloud solutions has led to slower updates and reduced oversight for its older on-premises products.
Political and Cybersecurity Implications
Beyond the technical issues, the breach has serious geopolitical consequences. The public accusation against China could heighten ongoing tensions between Beijing and Washington in the digital realm. The Biden administration is reportedly considering a formal response, which might include diplomatic protests, sanctions, or an expansion of cyber operations as part of the new National Cyber Strategy.
From a security policy perspective, this breach serves as a wake-up call for organizations still depending on on-premises systems without regular updates or dedicated security teams. It also highlights the growing significance of zero-day marketplaces, where tools showcased at hacker competitions can quickly become real-world weapons.
Conclusion
The exploitation of Microsoft SharePoint vulnerabilities by alleged Chinese state-sponsored actors represents one of the most significant cybersecurity threats of 2025 so far. It demonstrates not only the technical skills of modern APT groups but also the serious gaps in enterprise patching and vulnerability awareness. Microsoft’s attribution has added tension to an already strained geopolitical situation, while organizations hurry to protect themselves from possible follow-up attacks.
In the months ahead, more details are likely to emerge. But for now, the message is clear: the time for ignoring security in legacy systems is over. The consequences of neglecting this can have global implications.
