What the Microsoft SharePoint Cyberattack Means for Business

A sophisticated cyberattack targeting Microsoft SharePoint servers has compromised thousands of organisations globally, with at least two US government agencies confirmed among the victims.

Microsoft issued an urgent security alert on Saturday warning of "active attacks" exploiting a previously unknown vulnerability in its SharePoint server software.

The attack (classified as a 'zero-day attack' due to the fact that it exploited an until now unknown weakness in the system) has specifically targeted on-premises SharePoint installations used by government agencies and businesses for internal document sharing.

Experts now believe that tens of thousands of servers using SharePoint are at risk from the ongoing cyberattack.

Who is behind the SharePoint cyberattack?

Cybersecurity analysts believe that the coordinated nature of the attacks suggests the involvement of just one single threat actor or organised group.

"Based on the consistency of the tradecraft seen across observed attacks, the campaign launched on Friday appears to be a single actor. However, it's possible that this will quickly change," said Rafe Pilling, Director of Threat Intelligence at Sophos, a British cybersecurity firm.

According to Rafe, the attackers deployed identical digital payloads across multiple targets which suggests the breach was carried out with a systematic approach.

The consistency in attack methods has enabled researchers to trace the campaign's scope, though the perpetrator's identity remains unknown.

Government agencies and global companies at risk

At least two US government agencies have been compromised, though researchers cannot identify them due to confidentiality agreements.

A state legislature in the eastern US was among those targeted, with officials confirming that attackers had "hijacked" a repository of government documents made available to residents.

"We will need to make these documents available again in a different repository," pledged an official from the affected eastern state.

The breach has affected institutions worldwide, including organisations in China, a local government agency in Spain and a university in Brazil.

Data from Shodan, a search engine that catalogues internet-connected devices, reveals over 8,000 servers globally could potentially be compromised.

Implications for businesses

The breach carries significant ramifications for organisations relying on SharePoint.

Vulnerable systems span critical infrastructure including major industrial firms, banks, auditing companies and healthcare organisations, creating potential cascading risks across multiple sectors.

Businesses will have immediate concerns about data integrity and potential regulatory compliance issues, particularly those handling sensitive customer information or operating in heavily regulated industries.

The attack demonstrates how threat actors can leverage Microsoft's own security disclosures to identify and exploit similar vulnerabilities before organisations can adequately defend themselves.

By obtaining access to internal servers, the hackers may have stolen sensitive data from connected Outlook and Teams accounts, including passwords and cryptographic keys that could enable future access.

"The SharePoint incident appears to have created a broad level of compromise across a range of servers globally," said Daniel Card of British cybersecurity consultancy PwnDefend.

"Taking an assumed breach approach is wise, and it's also important to understand that just applying the patch isn't all that is required here."

Microsoft's cloud-based SharePoint Online service, part of the Microsoft 365 suite, remains unaffected by this particular exploit.

Is this attack Microsoft's fault?

According to insiders, this attack appears to have been triggered by Microsoft's own security practices earlier this month.

Marci McCarthy, a spokesperson for the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA), says the hack occurred after Microsoft fixed a security flaw in SharePoint, which inadvertently alerted hackers to a similar vulnerability they could exploit.

"We are working closely with our federal government and private sector partners," the FBI said in a statement confirming its awareness of the attacks.

CISA was alerted to the hack by a cyber research firm on Friday and immediately flagged it to Microsoft.

Marci has denied that her agency was "asleep at the wheel" without a permanent director, as nominee Sean Plankey continues serving in an acting capacity while awaiting the confirmation of the Senate.

Microsoft's challenges in patching the problem

Microsoft has issued one patch of security updates and is actively encouraging its customers to install them, according to a company spokesperson.

However, two additional versions of SharePoint were still awaiting custom patches at the time of writing.

This latest incident highlights ongoing challenges facing Microsoft as a major technology vendor to governments worldwide, coming amid broader concerns about cybersecurity in government contracts.

The company announced on Friday it would stop employing China-based engineers on Defence Department cloud computing contracts following a security review ordered by Defence Secretary Pete Hegseth.