SharePoint on In-House Servers Hacked

On July 22, 2025, Microsoft accused two Chinese nation-state actors, Linen Typhoon and Violet Typhoon, of exploiting flaws in the SharePoint document management software to target businesses and government agencies worldwide. Additionally, according to a company blog, another hacking group based in China, which Microsoft refers to as Storm-2603, also exploited the SharePoint vulnerabilities.

Just days before the announcement, the Microsoft Security Response Center (MSRC) issued a warning on July 19, alerting administrators to an active exploit campaign targeting vulnerabilities in SharePoint Server. Microsoft emphasized that these attacks affect only on-premises deployments of SharePoint and do not impact Microsoft 365’s SharePoint Online.

“This attack specifically targets organizations running SharePoint on their own in-house servers,” explained PrivaPlan CIO Ron Bebus. “Since PrivaPlan and the majority of our clients use SharePoint through Microsoft’s secure, cloud-hosted environment, we are not affected by this vulnerability.”

Why It Matters

Many other businesses and institutions using SharePoint on in-house servers to store and collaborate on documents have reportedly had their sign-in credentials stolen. A cybersecurity firm’s report reviewed by Bloomberg News states that hackers also breached the systems of a US-based healthcare provider and targeted a public university in Southeast Asia, although neither is named in the report.

This incident follows a pattern of Chinese state-sponsored cyber operations targeting critical infrastructure and sensitive sectors worldwide. In recent years, Microsoft has consistently tracked nation-state actors who have leveraged zero-day vulnerabilities to gain persistence within networks — often going undetected for months.

What’s Being Done

“Investigations into other actors also using these exploits is still ongoing,” Microsoft stated in its blog. “With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks.”

Microsoft has already released patches for affected SharePoint Server versions. However, the company is still working to deploy additional fixes to close gaps in older or less common configurations. According to the MSRC, the primary vulnerability allows attackers to execute arbitrary code remotely, gain elevated privileges, and move laterally across systems once they are inside.

Security experts recommend IT teams running SharePoint servers from their on-premise networks take the following immediate steps:

• Apply Microsoft’s July 2025 security updates to all on-premises SharePoint servers.
• Conduct a credential audit and reset any exposed or potentially compromised accounts.
• Stay cyber secure and enable multi-factor authentication (MFA) where possible, especially for admin-level accounts.
• Consider migrating from on-premises SharePoint to cloud-based Microsoft 365 for enhanced security and faster patch cycles.