Microsoft has issued an alert about a serious security breach affecting SharePoint on-premises servers, warning organizations worldwide that active attacks exploit zero-day vulnerability in their collaboration platform.
The tech giant confirmed that hackers have successfully compromised tens of thousands of servers used by government agencies, universities, energy companies, and private enterprises globally, with US and UK government agencies confirming reports.
“Microsoft is aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update,”
The company said on a blog post.
This revelation represents one of the most significant threats to Microsoft’s enterprise ecosystem in recent months, with the potential to impact critical business operations and sensitive data across multiple sectors.
Additionally, the scope of potential damage extends beyond SharePoint itself, as the platform typically integrates deeply with other Microsoft services including Outlook, Teams, and OneDrive, allowing attacks to expand across workflows.
Examining the Attack
Federal cybersecurity authorities, such as the US Cybersecurity and Infrastructure Security Agency (CISA), have said the scope of the attack is still being assessed but have characterized the threat as urgent and ongoing.
What is known already, however, is that unlike typical security flaws that might allow limited access, this exploit grants attackers comprehensive control over affected SharePoint installations. This has enabled them to steal authentication keys that let them back in even after system reboots and security patches have been applied.
Furthermore, due to SharePoint’s extensive integration with Microsoft 365 services, attackers can pivot to access email systems, file repositories, and communication platforms. This lateral movement capability transforms a single server compromise into an organization-wide security incident, potentially exposing years of stored communications, documents, and business intelligence.
Two US agencies, institutions in China, a local government agency in Spain, and a university in Brazil are reported to have been hit by this attack, highlighting the scope of the issue.
An official in an affected organization in the US said the attackers had “hijacked” a repository of documents made available to residents to help them understand the workings of government. The agency is currently unable to access the material in question, which the raiders may or may not have deleted.
According to spokesperson for the Department of Homeland Security and CISA spokesperson Marci McCarthy, the hack came after Microsoft fixed a security flaw in SharePoint earlier this month, which inadvertently alerted the hackers that they might be able to exploit a similar vulnerability.
McCarthy said CISA was alerted to the hack by a cyber research firm on Friday and flagged it to Microsoft.
What to Do to Protect Yourself
Microsoft has explained how the exploit specifically targets on-premises SharePoint 2016, 2019, and Subscription Edition installations, while cloud-hosted SharePoint Online services remain unaffected due to their different architecture and security controls.
This vulnerability is particularly dangerous because it provides unauthenticated access to SharePoint servers, essentially allowing attackers to bypass normal login requirements entirely.
Once inside, threat actors can extract authentication tokens and certificates that grant them persistent access to the compromised environment. These stolen credentials remain valid even after the initial vulnerability is patched, or a system is rebooted, creating a scenario where organizations must not only apply security updates but also conduct comprehensive credential rotation and system auditing.
Microsoft has responded by releasing emergency patches for SharePoint 2019 and Subscription Edition servers.
To mitigate potential attacks, Microsoft recommends five key steps customers should undertake.
- First is to make sure to use supported versions of on-premises SharePoint Server
- Another is to apply the latest security updates
- It recommends deploying Microsoft Defender for Endpoint protection, or equivalent threat solutions
- Ensure the Antimalware Scan Interface (AMSI) is turned on and configured correctly, with an appropriate antivirus solution in order to detect irregular activity
- Lastly, it advocates rotating SharePoint Server ASP.NET machine keys.
With Microsoft’s response timeline to applying any deeper backend fixes to this issue still unclear, and additional updates for the affected SharePoint 2016 currently in development, such remediation efforts like rotating keys may be some of the only options IT teams can apply on their side to keep their environments secure.
Keeping On-Premises Secure Amid Attacks
The coordinated attacks against Microsoft SharePoint and Exchange servers represent more than isolated security incidents; they mark a strategic escalation in threats facing enterprise collaboration infrastructure.
The sophistication of these attacks, combined with their targeting of high-value organizational assets, indicates that threat actors have identified collaborative platforms as critical vulnerabilities in modern business operations.
The technical characteristics of these attacks, including their persistence mechanisms, lateral movement capabilities, and ability of attackers to maintain access even after patching, are a wake-up call for organizations to consider additional procedures as part of their security posture.
With Microsoft recently eliminating over 1,000 scenarios of high-privilege access, it’s clear scenarios like these are some that Microsoft has been working toward eliminating.
Yet despite its promise to improve security, with new initiatives and CEO pay taking a hit over previous failures, it seems Microsoft still has some work to do in keeping customer environments safe.
