Widespread Microsoft SharePoint Server Hack Exposes Global Organizations to Cyber Threat

A recently discovered cyber-espionage campaign exploiting Microsoft SharePoint server software has compromised about 100 organizations worldwide, with researchers warning that the scope may grow further. The attack, classified as a “zero-day” exploit due to its use of a previously unknown vulnerability, has targeted self-hosted SharePoint servers — popular tools used for internal document sharing and collaboration.

Microsoft issued an alert over the weekend warning of “active attacks” on these servers, which are typically managed in-house by IT departments. Cloud-hosted SharePoint services, run directly by Microsoft, appear unaffected.

According to cybersecurity firm Eye Security, which helped identify the breach, attackers used the vulnerability to install backdoors — allowing continued access to compromised systems. Vaisha Bernard, the firm’s chief hacker, said that a scan conducted with nonprofit cybersecurity group Shadowserver Foundation identified the initial victims before the broader hacking method was made public.

“It's unambiguous,” Bernard stated. “Who knows what other adversaries have done since to place other backdoors.”

Shadowserver confirmed the 100-victim figure, noting that most of those affected were in the United States and Germany, with the victims including government organizations. While no specific organizations have been named, national cybersecurity agencies have been notified.

Early indicators suggest the attack may be the work of a single group or coordinated actors, though experts warn that copycat activity could quickly follow. "It's possible that this will quickly change," said Rafe Pilling, director of Threat Intelligence at British firm Sophos.

Microsoft responded by releasing a security patch and urged customers to install it immediately. However, experts caution that patching alone may not fully resolve the issue — especially if attackers have already established a persistent presence.

Adding to the concern, Google’s security team has attributed at least part of the campaign to a “China-nexus threat actor.” While the Chinese government has not commented, it typically denies involvement in such operations.

The FBI acknowledged the attack and said it is working closely with both public and private partners. The UK’s National Cyber Security Centre also confirmed it was aware of "a limited number" of targets within Britain.

The scale of potential exposure remains large. According to data from Shodan and Shadowserver, between 8,000 and 9,000 internet-connected SharePoint servers globally could be vulnerable — spanning industries from finance and healthcare to manufacturing and government agencies.

"The SharePoint incident appears to have created a broad level of compromise across a range of servers globally," said Daniel Card of UK-based cybersecurity consultancy PwnDefend. “Taking an assumed breach approach is wise, and it's also important to understand that just applying the patch isn't all that is required here.”

Summary:
A major cyberattack exploiting a vulnerability in Microsoft’s self-hosted SharePoint servers has hit about 100 organizations, including government bodies. With over 9,000 servers potentially at risk, security experts urge immediate patching and deeper forensic reviews. While attribution remains uncertain, some evidence points to a China-linked group. The incident underscores the growing scale and complexity of modern cyber threats.

FAQs: Microsoft SharePoint Server Hack

1. What exactly is a zero-day vulnerability?
A zero-day vulnerability refers to a software security flaw that is unknown to the vendor and has not been patched. Hackers exploit these weaknesses before developers can release a fix, making them especially dangerous.

2. Who is affected by this SharePoint server hack?
Approximately 100 organizations have been confirmed as affected so far, primarily in the United States and Germany. Victims include government entities, industrial firms, banks, healthcare providers, and auditing companies.

3. Are Microsoft’s cloud-hosted SharePoint services affected?
No. Only self-hosted SharePoint servers, managed directly by organizations, have been targeted in this campaign. Microsoft’s cloud-based SharePoint services remain secure, according to the company.

4. How did attackers gain access to these systems?
The attackers exploited a zero-day flaw in Microsoft SharePoint server software to install backdoors — allowing persistent, unauthorized access even after initial detection.

5. Has Microsoft released a patch?
Yes. Microsoft issued a security update and has strongly urged customers running self-hosted SharePoint to install it immediately. However, experts stress that patching may not be enough if attackers already established backdoor access.

6. Who is behind the attack?
While attribution is not definitive, Google’s cybersecurity division has linked parts of the campaign to a China-nexus threat actor. The Chinese government has not issued a comment but generally denies involvement in cyberattacks.

7. What should organizations do if they suspect they’re compromised?
Experts recommend an “assume breach” mindset. This includes applying the latest patch, conducting a full forensic audit of SharePoint environments, scanning for unusual behavior or unknown accounts, and alerting national cybersecurity authorities.

8. How many servers worldwide are potentially vulnerable?
Estimates suggest that between 8,000 and 9,000 internet-connected SharePoint servers could be exposed globally, making this a widespread and potentially escalating threat.

9. Is this a one-time attack or part of a larger campaign?
Current data points to a focused campaign likely run by a specific threat actor or group. However, security analysts warn that more groups could exploit the same vulnerability now that it's public.

10. How serious is the risk to businesses and governments?
The risk is significant. Compromised SharePoint servers can be used to steal sensitive data, plant additional malware, or disrupt operations. Given that affected systems include government and critical infrastructure, the broader implications are serious.