Microsoft is scrambling to contain a widespread cyberattack targeting SharePoint servers worldwide, with cybersecurity experts warning that over 10,000 companies could be at risk. The software giant confirmed that hackers are actively exploiting previously unknown security flaws in on-premises SharePoint servers used by government agencies, universities, and major corporations to share internal documents.
The Cybersecurity and Infrastructure Security Agency ( CISA ) added the vulnerability to its Known Exploited Vulnerability catalog on Saturday, giving federal agencies just one day to apply patches once they become available. "These exploits are real, in-the-wild, and pose a serious threat," warned Palo Alto Networks, while Google's Threat Intelligence Group confirmed observing active exploitation attempts.
Dutch cybersecurity firm Eye Security first detected the attacks on July 18th and reports that at least 85 SharePoint servers across 54 organizations have already been compromised. Among the victims are a California university, energy companies, federal health organizations, and government entities in Florida and New York.
Microsoft Sharepoint’s zero-day exploits leave tens and thousands of organisations vulnerableThe attack leverages what's known as a "zero-day" vulnerability – a security flaw unknown to software makers until it's actively exploited by hackers. Cybersecurity researchers estimate that over 10,000 companies with SharePoint servers are potentially at risk, with the United States, Netherlands, United Kingdom, and Canada having the highest concentrations of vulnerable systems.
"It's a dream for ransomware operators, and a lot of attackers are going to be working this weekend as well," said Silas Cutler, a researcher at Michigan-based Censys. The vulnerability allows hackers to access file systems, steal sensitive configurations, and execute malicious code across networks without authentication.
The attackers are using a technique called "ToolShell" that was originally demonstrated at the Pwn2Own security conference . They upload malicious files to steal critical server keys, then use these stolen credentials to create valid access tokens that bypass security measures entirely.
Government agencies among primary targets in Microsoft Sharepoint attack Federal and state agencies appear to be prime targets in this campaign, with the FBI confirming it's "aware of the matter" and working with government and private sector partners to assess the threat. The Washington Post reported that the breach has affected multiple U.S. agencies, though specific details remain classified for security reasons.
CISA's Acting Executive Assistant Director for Cybersecurity Chris Butera emphasized the urgency: "Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations. CISA encourages all organizations with on-premise Microsoft SharePoint servers to take immediate recommended action."
Organizations can detect if they've been compromised by checking for suspicious files named "spinstall0.aspx" on their servers or unusual network activity from specific IP addresses that security firms have identified as attack sources.
Microsoft releases emergency updatesMicrosoft has released emergency security updates for SharePoint 2019 and Subscription Edition servers, with a patch for SharePoint 2016 expected soon. The company recommends that organizations unable to immediately apply updates should disconnect their SharePoint servers from the internet until patches can be installed.
For additional protection, Microsoft advises enabling its Antimalware Scan Interface (AMSI) feature and deploying Windows Defender Antivirus on all SharePoint servers. Organizations should also rotate their server security keys after applying patches to prevent further unauthorized access.
This incident adds to Microsoft's recent cybersecurity challenges, including Chinese hacker attacks earlier this year and criticism from the White House's Cyber Safety Review Board, which called the company's security culture "inadequate" following previous breaches.
The Cybersecurity and Infrastructure Security Agency ( CISA ) added the vulnerability to its Known Exploited Vulnerability catalog on Saturday, giving federal agencies just one day to apply patches once they become available. "These exploits are real, in-the-wild, and pose a serious threat," warned Palo Alto Networks, while Google's Threat Intelligence Group confirmed observing active exploitation attempts.
Dutch cybersecurity firm Eye Security first detected the attacks on July 18th and reports that at least 85 SharePoint servers across 54 organizations have already been compromised. Among the victims are a California university, energy companies, federal health organizations, and government entities in Florida and New York.
Microsoft Sharepoint’s zero-day exploits leave tens and thousands of organisations vulnerableThe attack leverages what's known as a "zero-day" vulnerability – a security flaw unknown to software makers until it's actively exploited by hackers. Cybersecurity researchers estimate that over 10,000 companies with SharePoint servers are potentially at risk, with the United States, Netherlands, United Kingdom, and Canada having the highest concentrations of vulnerable systems.
"It's a dream for ransomware operators, and a lot of attackers are going to be working this weekend as well," said Silas Cutler, a researcher at Michigan-based Censys. The vulnerability allows hackers to access file systems, steal sensitive configurations, and execute malicious code across networks without authentication.
The attackers are using a technique called "ToolShell" that was originally demonstrated at the Pwn2Own security conference . They upload malicious files to steal critical server keys, then use these stolen credentials to create valid access tokens that bypass security measures entirely.
Government agencies among primary targets in Microsoft Sharepoint attack Federal and state agencies appear to be prime targets in this campaign, with the FBI confirming it's "aware of the matter" and working with government and private sector partners to assess the threat. The Washington Post reported that the breach has affected multiple U.S. agencies, though specific details remain classified for security reasons.
CISA's Acting Executive Assistant Director for Cybersecurity Chris Butera emphasized the urgency: "Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations. CISA encourages all organizations with on-premise Microsoft SharePoint servers to take immediate recommended action."
Organizations can detect if they've been compromised by checking for suspicious files named "spinstall0.aspx" on their servers or unusual network activity from specific IP addresses that security firms have identified as attack sources.
Microsoft releases emergency updatesMicrosoft has released emergency security updates for SharePoint 2019 and Subscription Edition servers, with a patch for SharePoint 2016 expected soon. The company recommends that organizations unable to immediately apply updates should disconnect their SharePoint servers from the internet until patches can be installed.
For additional protection, Microsoft advises enabling its Antimalware Scan Interface (AMSI) feature and deploying Windows Defender Antivirus on all SharePoint servers. Organizations should also rotate their server security keys after applying patches to prevent further unauthorized access.
This incident adds to Microsoft's recent cybersecurity challenges, including Chinese hacker attacks earlier this year and criticism from the White House's Cyber Safety Review Board, which called the company's security culture "inadequate" following previous breaches.
You may also like
'We witnessed the Lionesses' jaw-dropping victory over Italy - and it brought tears to eyes'
BBC Antiques Road Trip shares huge announcement after 15 years on air
'They asked me to become approver, offered ₹10L, job in Dubai, but I refused'
Perishers - 23rd July 2025
Ozzy Osbourne was able to fulfil his and Sharon's poignant final wish
