Microsoft has issued an urgent security warning confirming that multiple Chinese state-sponsored hacking groups are actively exploiting a zero-day vulnerability in SharePoint Server. The attacks, which began in recent days, have already compromised approximately 100 organizations worldwide, including U.S. government agencies, healthcare providers, and large enterprises. The exploit targets on-premises SharePoint deployments and allows unauthenticated attackers to perform spoofing attacks, enabling network infiltration and data exfiltration. Microsoft’s SharePoint Online, part of Microsoft 365, is not affected.

The Zero-Day Exploit

The vulnerability, for which no patch existed at the time of active exploitation, is a spoofing flaw that tricks SharePoint Server into treating a malicious actor as a trusted entity. An attacker can leverage this weakness to bypass authentication, impersonate legitimate users, and gain unauthorized access to sensitive files and services. According to Microsoft’s advisory, the flaw enables “spoofing on a network,” which in practice can facilitate lateral movement, credential theft, and deployment of additional malware.

Microsoft released out-of-band security updates specifically for SharePoint Server 2016 and SharePoint Server 2019. The company emphasized that all versions of SharePoint Server prior to these updates are vulnerable. The patches correct the underlying authentication mechanism, preventing the spoofing vector. Organizations that cannot immediately apply the update are advised to disconnect affected servers from the internet or restrict external access until patching is complete.

Who’s Behind the Attacks

Microsoft attributed the campaign to at least three Chinese state-sponsored groups tracked as “Linen Typhoon,” “Violet Typhoon,” and “Storm-2603.” These threat actors have been observed exploiting the SharePoint zero-day to breach networks and establish persistence. Linen Typhoon, in particular, has a history of targeting critical infrastructure and supply chain entities across the United States and its allies.

The U.S. Federal Bureau of Investigation confirmed it is aware of the intrusions and is working closely with federal and private sector partners. However, details of specific victim organizations remain limited. The Washington Post first reported the attacks, citing unnamed officials who described the operation as a coordinated cyberespionage campaign.

Scope of the Breach

The impact spans multiple sectors. Among the confirmed victims is the U.S. National Nuclear Security Administration (NNSA), the agency responsible for maintaining the nation’s nuclear weapons stockpile. While no classified information is believed to have been accessed, the breach highlights the severity of the campaign. Other targets include educational institutions, healthcare networks, and multinational corporations. The attackers have focused on exfiltrating sensitive documents, intellectual property, and credentials that could be used for future intrusions.

Security researchers note that the attacks are not indiscriminate. The groups appear to be carefully selecting victims with high-value data or strategic importance, consistent with state-sponsored objectives. The zero-day nature of the exploit allowed the attackers to remain undetected for an unknown period before Microsoft’s detection systems flagged the anomalous activity.

Microsoft’s Countermeasures

In response, Microsoft deployed multiple layers of defense and guidance:

  • Security updates: Patches for SharePoint Server 2016 and 2019 were released as part of an out-of-band update cycle. Microsoft urges all customers to apply these immediately. For older versions, customers should upgrade to a supported version to receive patches.
  • Antimalware Scan Interface (AMSI): Enabling AMSI provides enhanced visibility into script behavior, helping to block malicious PowerShell or .NET commands that attackers often use after gaining initial access.
  • Microsoft Defender Antivirus: Updated signatures detect and block the known exploit payloads. Microsoft Defender for Endpoint can correlate alerts to identify post-exploitation activity.
  • Machine Key rotation: Once an attacker gains access, they may attempt to forge authentication tokens. Rotating machine keys invalidates any stolen tokens and severs attacker access.
  • Endpoint protection: Deploying endpoint detection and response (EDR) solutions can help identify lateral movement and suspicious processes.

Additionally, Microsoft has been coordinating with the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Department of Defense Cyber Command, and international cybersecurity bodies to disseminate threat intelligence and remediation steps.

Immediate Steps for Organizations

CISA released a technical advisory outlining critical actions for all SharePoint Server administrators:

  1. Isolate or shut down affected servers until patches are installed. This may involve disconnecting the server from the internet entirely.
  2. Renew all credentials and secrets that could have been exposed, including service accounts, machine keys, and any user credentials that might have been harvested.
  3. Engage incident response teams or trusted third-party cybersecurity firms to conduct a thorough forensic investigation.
  4. Enable detailed logging and monitor for signs of compromise, such as unusual outbound traffic, unauthorized new accounts, or unexpected changes to SharePoint configurations.
  5. Review and restrict access controls for SharePoint farms, ensuring that only necessary service accounts have administrative privileges.

Microsoft also emphasized that organizations using cloud-based SharePoint Online or Microsoft 365 are not directly vulnerable to this exploit. However, they should still review access to any on-premises resources integrated with cloud services, as compromised on-premises servers could serve as a pivot point.

The Broader Threat Landscape

This incident is the latest in a string of high-profile zero-day attacks linked to Chinese state-sponsored groups. In recent years, similar campaigns have targeted Exchange Server, SolarWinds, and VPN appliances. The shared pattern involves exploiting unknown vulnerabilities to gain a foothold, moving laterally to find valuable data, and maintaining long-term access for espionage purposes.

For defenders, the SharePoint zero-day reinforces several painful truths:

  • On-premises software remains a high-value target. Even as organizations shift to the cloud, legacy systems that are not as rapidly updated become prime entry points.
  • Zero-day vulnerabilities are a persistent threat. Advanced persistent threat (APT) actors invest heavily in discovering and weaponizing these flaws before vendors can respond.
  • Collaboration between government and industry is essential. Microsoft’s rapid coordination with CISA and other agencies enabled quicker dissemination of patches and indicators of compromise, potentially limiting the damage.

Security experts recommend that organizations adopt a assume-breach mentality: continuous monitoring, strict identity hygiene, and segmentation can limit the blast radius when a zero-day is exploited.

Looking Ahead

Microsoft continues to investigate the full extent of the intrusions and may release additional patches or detection rules as more details emerge. The company has not ruled out the possibility that other threat actors could attempt to reverse-engineer the patches to develop their own exploits, as has happened in past high-profile vulnerabilities.

For organizations, the immediate priority is patching. Beyond that, this incident should trigger a thorough review of SharePoint security configurations, credential management processes, and incident response playbooks. The NNSA breach, in particular, underscores that even the most sensitive government networks can be compromised when zero-days are deployed skillfully.

The next weeks will likely bring more revelations about the scale and sophistication of the attacks. In the meantime, administrators must act swiftly. As one Microsoft spokesperson put it: “We have been coordinating closely with CISA, DOD Cyber Command, and key cybersecurity partners globally throughout our response.” The collective defense depends on each organization doing its part—patching, monitoring, and sharing threat information.


This is a developing story. Check windowsnews.ai for further updates as new information becomes available.