Global hack on Microsoft product hits U.S., state agencies, researchers say
Unknown attackers exploited a “significant vulnerability” in Microsoft’s SharePoint collaboration software, hitting targets around the world.
July 20, 2025 at 5:01 p.m. EDTYesterday at 5:01 p.m. EDT
By Ellen Nakashima, Yvonne Wingett Sanchez and Joseph Menn
Hackers exploited a major security flaw in widely used Microsoft server software to launch a global attack on government agencies and businesses in the past few days, breaching U.S. federal and state agencies, universities, energy companies and an Asian telecommunications company, according to state officials and private researchers.
The U.S. government and partners in Canada and Australia are investigating the compromise of SharePoint servers, which provide a platform for sharing and managing documents. Tens of thousands of such servers are at risk, experts said, and Microsoft has issued no patch for the flaw, leaving victims around the world scrambling to respond.
The “zero-day” attack, so called because it targeted a previously unknown vulnerability, is only the latest cybersecurity embarrassment for Microsoft. Last year, the company was faulted by a panel of U.S. government and industry experts for lapses that enabled a 2023 targeted Chinese hack of U.S. government emails, including those of then-Commerce Secretary Gina Raimondo.
This most recent attack compromises only those servers housed within an organization — not those in the cloud, such as Microsoft 365, officials said. After first suggesting that users make modifications to or simply unplug SharePoint server programs from the internet, the company on Sunday evening released a patch for one version of the software. Two other versions remain vulnerable and Microsoft said it is continuing to work to develop a patch. The company declined to comment further.
“Anybody who’s got a hosted SharePoint server has got a problem,” said Adam Meyers, senior vice president with CrowdStrike, a cybersecurity firm. “It’s a significant vulnerability.’’
The FBI said in a statement that it was aware of the matter. “We are working closely with our federal government and private sector partners,” it said.
“We are seeing attempts to exploit thousands of SharePoint servers globally before a patch is available,” said Pete Renals, a senior manager with Palo Alto Networks’ Unit 42. “We have identified dozens of compromised organizations spanning both commercial and government sectors.’’
With access to these servers, which often connect to Outlook email, Teams and other core services, a breach can lead to theft of sensitive data as well as password harvesting, Netherlands-based research company Eye Security noted. What’s also alarming, researchers said, is that the hackers have gained access to keys that may allow them to regain entry even after a system is patched.
“So pushing out a patch on Monday or Tuesday doesn’t help anybody who’s been compromised in the past 72 hours,” said one researcher, who spoke on the condition of anonymity because a federal investigation is ongoing.
It was not immediately clear who is behind the hacking of global reach or what its ultimate goal is. One private research company found the hackers targeting servers in China as well as a state legislature in the eastern United States. Eye Security said it has tracked more than 50 breaches, including at an energy company in a large state and several European government agencies.
At least two U.S. federal agencies have seen their servers breached, according to researchers, who said victim confidentiality agreements prevent them from naming the targets.
One state official in the eastern U.S. said the attackers had “hijacked” a repository of documents provided to the public to help residents understand how their government works. The agency involved can no longer access the material, but it wasn’t clear whether it was deleted.
“We will need to make these documents available again in a different repository,” the official said, speaking on the condition of anonymity to discuss a developing situation.
Such “wiper” attacks are rare, and this one left officials alarmed in other states as word spread. Some security companies said they had not seen deletions in the SharePoint attacks, only the theft of cryptographic keys that would allow the hackers to reenter the servers.
In Arizona, cybersecurity officials were convening with state, local and tribal officials to assess potential vulnerabilities and share information.
“There is definitely a mad scramble across the nation right now,” said one person familiar with the state’s response.
The breaches occurred after Microsoft fixed a security flaw this month. The attackers realized they could use a similar vulnerability, according to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
CISA spokesperson Marci McCarthy said the agency was alerted to the issue Friday by a cyber research firm and immediately contacted Microsoft.
Microsoft has been faulted in the past for issuing fixes that are too narrowly designed and leave similar avenues open to attack. The company, one of the largest tech vendors to governments, has had other major stumbles in the past two years, including breaches of its own corporate networks and executives’ emails. A programming flaw in its cloud services also allowed China-backed hackers to steal email from federal officials.
On Friday, Microsoft said it would stop using China-based engineers to support Defense Department cloud-computing programs after a report by investigative outlet ProPublica revealed the practice, prompting Defense Secretary Pete Hegseth to order a review of Pentagon cloud deals.
The nonprofit Center for Internet Security, which staffs an information-sharing group for state and local governments, notified about 100 organizations that they were vulnerable and potentially compromised, said Randy Rose, the organization’s vice president. Those warned included public schools and universities.
The process took six hours Saturday night — much longer than it otherwise would have, because the threat-intelligence and incident-response teams have been cut by 65 percent as CISA slashed funding, Rose said.
Despite CISA being led by an acting director because nominee Sean Plankey has not been confirmed, agency officials have been “working around-the-clock” on the issue, McCarthy said. “No one has been asleep at the wheel.’’
Others that were breached included a government agency in Spain, a local agency in Albuquerque and a university in Brazil, security researchers said.
Patrick Marley, Sarah Ellison and Aaron Schaffer contributed to this report.
https://www.washingtonpost.com/technolo ... oint-hack/
Translation
