Microsoft Confirms Chinese Hackers Exploited SharePoint Flaw in Targeted Attacks

Microsoft revealed Tuesday that multiple hacking groups linked to China have exploited a critical vulnerability in certain versions of its SharePoint software, a widely used collaboration tool within enterprises and government agencies.

According to a blog post from the company, threat actors identified as Linen Typhoon, Violet Typhoon, and Storm-2603 began attempting to take advantage of the flaw as early as July 7. These groups are believed to operate with ties to the Chinese government.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also acknowledged ongoing exploitation of the vulnerability over the weekend, urging affected organizations to apply security patches. Microsoft issued fixes for two on-premises SharePoint versions on Sunday, followed by a third patch on Monday.

SharePoint is a core element of Microsoft’s Office ecosystem, allowing internal users to collaborate and share documents across organizations. The breach raises concerns given the platform’s centrality in both corporate and public sector operations.

Charles Carmakal, CTO of cybersecurity firm Mandiant (owned by Google), noted on LinkedIn that his team believes at least one of the groups exploiting the flaw is a China-aligned actor.

This is not the first time Microsoft software has been the target of state-sponsored cyberattacks. In 2021, a Chinese-linked group known as Hafnium exploited vulnerabilities in Microsoft Exchange Server, which handles email and calendaring.

The latest incident comes as Microsoft continues to face scrutiny over its cybersecurity practices. Just last week, the company announced it would no longer use China-based engineers to support sensitive U.S. government cloud operations, following concerns raised by lawmakers and media reports.

CEO Satya Nadella has made securing Microsoft’s cloud and software products a key priority, especially after a high-profile breach last year in which Chinese hackers reportedly accessed the email accounts of U.S. government officials.

Security experts warn that these recent incidents underscore the increasing sophistication of state-backed cyber campaigns and the persistent vulnerabilities in legacy enterprise software used globally.