Picture this: you've built your home office inside a vault, reinforcing the walls, using unique keycards, and even incorporating a biometric scanner.
A few weeks later, you notice that some of your paperwork is missing. Using a security camera, you find out somebody can slip through the mail slot to sneak in quietly and efficiently. They've been doing this for weeks without you knowing.
That's just what Microsoft customers worldwide discovered, while too many still haven't discovered their door has been left wide open.
On July 19, Microsoft confirmed that state-sponsored hackers from China exploited two significant zero-day vulnerabilities in SharePoint Server.
The attacks, which Microsoft said began as early as July 7, affect only on-premises SharePoint installations and do not impact the cloud-based SharePoint Online service, the company said in a security bulletin.
Microsoft warned that it "assesses with high confidence" that the threat actors will continue their assault against vulnerable systems where companies haven't taken the necessary precautions.
The vulnerabilities allow attackers to spoof authentication credentials and execute malicious code remotely on vulnerable servers.
Let me know if you've heard this record before.
The groups involved were Linen Typhoon, Violet Typhoon, and Storm-2603. Their names sound like those of forgotten regional bands playing at county fairs. But what they did compared to a bad storm: They performed a surgical, multi-pronged infiltration of a trusted collaboration tool used by millions.
This wasn’t just rain; it was acid rain.
Recommended: The Anniversary They Want You to Forget: TWA Flight 800 and the Deep State’s Deadliest Lie
Three Chinese Hacking Groups Exploited Microsoft SharePoint
What the hackers did wasn't something that a 22-year-old living in mom's basement could do. These professional espionage teams were funded, directed, and protected by the People's Republic of China.
Each group had its own specific role.
- Linen Typhoon probed for weaknesses and relayed server exposure.
- Violet Typhoon handled authentication bypasses, allowing hackers to impersonate legitimate users.
- Storm-2603 installed malicious payloads, executed commands remotely, and extracted cryptographic tokens, essentially cloning the victim’s digital keys.
Two specific flaws were exploited (CVE-2025-49704 and CVE-2025-4796), both of which were rated critical. Once the hackers had access, the attackers were able to impersonate anyone, pull sensitive documents, or even use the compromised server as a launchpad for an entire network.
This was code manipulation; it was identity theft down to the infrastructure level.
It's like somebody stole your master key for every door you've opened online, giving them the same access.
Initial Reports Pegged 100 Victims: It’s Now Over 400
It sounded limited, doesn't it? Initially, only a handful of targets were warned by Microsoft, possibly around 100.
Then came the dripping, which became a flood. Independent cybersecurity researchers report that over 400 systems have been compromised. Significant targets include:
- U.S. Department of Energy
- National Institutes of Health
- National Nuclear Security Administration
And those are just the ones we are aware of. I'll repeat myself: Where have we heard this before?
Other targets, potentially corporations, research institutions, and banks, haven't reported a breach. Why would they stay silent? Embarrassment, legal exposure, or more frighteningly, they don't know.
It's like being robbed while you're in bed, and the thief leaves no trace they were ever there. They walk in, copy all your security keys, clean up after themselves, and walk out wearing a Cheshire Cat's grin.
If you're not rattled, consider this: The breached systems weren't all hosted on cloud servers; many were on-site SharePoint deployments, because some companies believed that staying away from the cloud would make them safe.
What's ironic is that decision made them more vulnerable. While Microsoft's cloud infrastructure was protected, back-office SharePoint servers weren't.
Microsoft Released Security Patches, but They’re not Enough
Companies affected found that patches were a new prayer chain; after all, they did what they were told to do when cyber chaos erupts. The July 19 update from Microsoft was critical. The problem is that the company is treating this as a simple "patch and forget" situation. It's like slapping duct tape on a gas leak.
These attacks weren't just breaches; they were identity-level attacks.
Identity-based attacks are cyberattacks that target user credentials, such as usernames, passwords, and authentication tokens, to gain unauthorized access to systems or data. These attacks exploit weaknesses in identity security through methods like phishing, credential stuffing, MFA bypass, and session hijacking, allowing attackers to impersonate legitimate users and move laterally within a network. Some reasons why identity attacks are on the rise are the use of adversarial AI, companies moving to cloud-based identity providers, and the adoption of more SaaS applications. 5 of the top 10 MITRE ATT&CK tactics are identity-based.
In a case of closing the barn door after the horses escape, security researchers now warn that organizations must take the following steps; otherwise, hackers might still be quietly watching and waiting.
- Rotate cryptographic keys.
- Revoke stolen tokens.
- Conduct deep forensics on access logs.
- Use behavioral anomaly detection tools.
Microsoft's update didn't retrieve the identities of compromised machines. It also did not prevent the keys from being stolen. The communications with infiltrated servers weren't re-secured.
So, the barn door’s closed, but the horse is long gone, and the thief might still be living in the hayloft.
How Did We Get Here?
Four years ago, China's Hafnium group performed a similar breach using Microsoft Exchange, targeting similar targets and exploiting zero-day vulnerabilities, which means no patch or fix existed to address the issue before it was exploited.
Companies did then what they're doing now: remaining silent and not sharing the fact that they had been breached.
Learning from mistakes is a hallmark of humble people. Microsoft didn't learn from prior mistakes, where Chinese characteristics became apparent.
China has always been more aware of our dependence on technology than we have. We trusted default security settings and responded slowly to cyber threats unless they made headlines.
Beijing knows America treats cybersecurity like a nuisance instead of a battlefield.
A nation that fights over banning TikTok but can't patch its own SharePoint is not a player in digital sovereignty.
"They're Not After Me"
If your small business doesn't think it's a target, it misunderstands the threat. Your SharePoint site might become a gateway for a third-party vendor targeting a larger audience.
This is precisely how so many of these attacks leapfrog across ecosystems. If you have a single bad plugin, an outdated patch, or an overworked sysadmin, you'll find yourself vulnerable.
Final Thoughts
Foreign interference in elections or AI warfare is the new Cold War in real-time. And they don’t need a red button. Just a missed patch, a complacent IT team, and a SharePoint server you forgot about in a basement somewhere.
The scariest part of this breach isn’t that the hackers got in. It’s how few people noticed.
Your documents, contracts, strategy memos, and customers’ data. If SharePoint was the nerve center of your operation, you’ve just been exposed.
We don’t need a cybersecurity Chernobyl to take this seriously. The sirens are already wailing.
And this time, Beijing isn’t even pretending to knock.
