Microsoft popular SharePoint platform is the newest target of an advanced cyber spying operation. That has affected hundreds of organizations globally. Attackers have actively exploited a zero-day vulnerability in on-premises SharePoint servers since the beginning of July. Also, it has enabled attackers to circumvent authentication, extract cryptographic keys, and install webshells for long-term access.
Microsoft has confirmed that the CVE‑2025‑53770 vulnerability impacts SharePoint Server 2016, SharePoint Server 2019, and SharePoint Server Subscription Edition. Though Microsoft 365’s cloud-hosted SharePoint Online is not impacted, on‑premises deployments are encouraged to install security updates at once.
What Happened?
The breach campaign, started around July 7, uses an Evil toolkit called ToolShell. Eventually chaining sequences of vulnerabilities CVE‑2025‑49706 and CVE‑2025‑49704 to gain privilege elevation and exfiltrate machine keys from breached servers. The keys enable attackers to create legitimate session tokens, bypassing authentication and gaining administrative access to SharePoint sites.
Security researchers discovered the presence of an in-deployment webshell, spinstall0.aspx, which grants attackers command execution rights in compromised networks. Microsoft said this attack mechanism facilitates lateral movement within corporate networks. Eventually, it is leaving sensitive data outside the initial SharePoint infrastructure open to compromise.
Scale and Global Impact
Early telemetry indicated that hackers had compromised an estimated 100 organizations. Recent statistics from security company Eye Security set the number of victims at more than 400 businesses worldwide. It includes government departments, critical infrastructure operators, telecommunications firms, universities, and energy companies.
In the United States, attackers reportedly hit certain government agencies and state organizations. Researchers linked these to energy security and scientific research. Globally, target companies cover businesses operating in Europe, Asia, and the Middle East. They have not revealed any names of specific victims. But researchers caution that the extent of the breach exceeds what they have confirmed to date.
“There are numerous more victims because not all attack vectors have dropped artifacts that we could scan for.” This is an Observation by Vaisha Bernard, a director at Eye Security. She is highlighting the challenge of measuring the breach impact.
Who’s Behind the Attacks?
Microsoft has linked the operation to China‑affiliated cyber espionage gangs. The company’s threat intelligence indicates that clusters Linen Typhoon, Violet Typhoon, and Storm‑2603 are exhibiting activity consistent with tactics that the campaign has observed. The gangs have attacked Western defense contractors, governments, and technology providers before. Those were searching for sensitive intellectual property and strategic information.
“Based on our assessment, at least one of the parties responsible for the early exploitation is a China-nexus threat actor,” stated Charles Carmakal, Mandiant’s Chief Technology Officer, who has been involved in incident response support. (Source: CRN Magazine)
The attribution emphasizes the ongoing abuse of zero-day vulnerabilities by a state-backed actor. They did that to exploit enterprise collaboration tools platforms that are essential to day-to-day operations. Yet often tardy in receiving patches due to uptime dependencies.
Microsoft’s Response
Microsoft released an out-of-band emergency security update on July 20 to fix CVE‑2025‑53770 and associated weaknesses. The company encouraged administrators to install the latest patches as quickly as possible and implement further actions to protect compromised servers. Microsoft advises that you rotate all ASP.NET MachineKeys to invalidate any stolen credentials in the past and restart Internet Information Services (IIS) after patching to finalize the mitigation process. The organization also recommends enabling the Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus for improved malware detection and deploying Microsoft Defender for Endpoint to enhance the visibility of threats and incident response.
“We are collaborating with partners, including CISA and international security agencies, to disrupt this campaign and safeguard customers,” Microsoft stated in an official blog entry.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) reacted by including the SharePoint vulnerability within its Known Exploited Vulnerabilities (KEV) Catalog, so patching became a real-time compliance requirement for federal civilian agencies.
Broader Cybersecurity Implications
This case shows how persistent a threat on-premises collaboration platforms are, where many tend to fall behind cloud-hosted solutions in security patches and threat protection features. Microsoft 365 apps integrate with SharePoint. These apps include MS Teams, Outlook, and OneDrive. This is making it an ideal target for attackers seeking widespread enterprise exposure.
Collaboration platform attacks increase. Unit 42 reports of Palo Alto Networks that exploitation of vulnerabilities in collaboration software grew 38% year-over-year in 2025, fueled by the adoption of remote work and the value of aggregated business data housed within these systems.
For companies still depending on on-premises SharePoint, attackers pose a big threat by compromising machine keys, as they can remain resident in environments even after patching unless companies rotate the keys. Credentials and session tokens stolen could enable follow-on intrusions, intellectual property exfiltration, or chronic espionage.
Expert Takeaways
Mandiant‘s Charles Carmakal thinks that the attack highlights a larger strategic shift. In his view, nation-state actors are targeting enterprise collaboration tools more and more because they’re part of the workflows in organizations and present high-value access upon being compromised. Collaboration platforms now need to be addressed as high-value assets, with organizations embracing zero trust models that authenticate every access request, isolate sensitive workloads, and monitor user activity for signs of anomalies.
What Can CISOs Do Now?
Security researchers advise a multi-pronged approach instead of just patching. Instead of just patching, organizations need to first deploy Microsoft’s July 20 security update for all on-premises instances of SharePoint without any delay. Following patching, administrators need to rotate ASP.NET MachineKeys and other related credentials to cut off any access avenues forged with stolen keys. Threat hunting is equally important. You must scan the logs for suspicious file uploads like spinstall0.aspx and authentications.
In addition, we must quarantine impacted servers and apply endpoint detection and response solutions to reveal hidden persistence techniques. Numerous security teams are also opting to introduce outside incident response professionals for a more detailed forensic evaluation of their SharePoint deployments. Organizations might have to revisit their long-term team collaboration platform plans, such as the possibility of migration to cloud-hosted applications or the addition of zero trust controls to further secure their on-premise implementations.
What’s Coming Next
With at least 400 confirmed victims and growing, this breach is on track to become one of the biggest enterprise infrastructure attacks in 2025. It highlights an urgent fact for enterprise security leaders. That is, Collaboration platforms are now fundamental attack surfaces, and securing them demands the same urgency as financial and customer data systems.
For on-premises SharePoint organizations, time is critical. The exploit window is still open, and nation-state actors are racing to take advantage of unpatched infrastructure. The lesson is obvious. Presume breach, patch immediately, and spend money on ongoing monitoring to avoid long-tail damage.
