Microsoft Alerts Businesses and Governments to SharePoint Server Attacks
📅 Redmond/WASHINGTON, July 21, 2025
Microsoft today issued an urgent security advisory, revealing active attacks exploiting a newly discovered zero‑day vulnerability in its on‑premises SharePoint server software. The company stressed that on‑cloud SharePoint Online services included in Microsoft 365 are not affected Bloomberg.com+8Reuters+8The Straits Times+8.
💻 Scope of the Vulnerability
According to Microsoft, the vulnerability enables “spoofing over a network,” allowing attackers to disguise themselves as trusted entities and potentially manipulate document‑sharing systems used by government bodies and enterprises Spokesman-Review+4Reuters+4mint+4. tens of thousands of servers globally are reportedly at risk Spokesman-Review+2Reuters+2The Washington Post+2.
🔓 Zero-Day Exploits and International Impact
Security researchers describe this as a “zero‑day” exploit—an attack leveraging an unknown flaw before a patch exists Reuters+3The Washington Post+3Spokesman-Review+3. Evidence suggests that the breach has affected U.S. federal and state agencies, universities, energy firms, Asian telcos, and European government entities, with as many as dozens of organizations confirmed to be compromised The Washington Post+1Spokesman-Review+1.
🚨 FBI and CISA Involvement
The FBI confirmed awareness of the situation and is coordinating with both federal and private-sector cybersecurity partners The Washington Post+3Reuters+3mint+3. Microsoft is working alongside the U.S. CISA, DOD Cyber Defense Command, and global cybersecurity stakeholders to investigate and contain the attacks The Straits Times+4Reuters+4AOL+4.
🔧 Immediate Safeguards Recommended
Microsoft has released a patch for the SharePoint Subscription Edition, urging all affected customers to install it “immediately” The Straits Times+3mint+3Reuters+3. Updates for SharePoint 2016 and 2019 are still being developed. Meanwhile, the company advises organizations that cannot apply the released protections to momentarily disconnect servers from the internet Reuters+1mint+1.
🔁 Mitigation Challenges
Researchers from CrowdStrike and Palo Alto Networks Unit 42 warn that the threat remains active. Pete Renals of Unit 42 confirmed that “we are seeing attempts to exploit thousands of SharePoint servers globally before a patch is available” The Washington Post+1Spokesman-Review+1. A senior CrowdStrike official added: “Anybody who’s got a hosted SharePoint server has got a problem” The Washington Post+1Spokesman-Review+1.
☁️ Cloud Services Remain Secure
Microsoft confirmed that SharePoint Online in Microsoft 365—its cloud‑hosted service—is not vulnerable, as the attack surface is confined to on‑premises installations Reuters+1mint+1. This segment remains fully secure and operational.
🛡️ Strategic Risks of Spoofing
Spoofing exploits allow attackers to impersonate legitimate documents or users, making it easier to steal sensitive data, harvest credentials, or undermine financial and government systems The Washington Post. Researchers also note that attackers have stolen cryptographic keys, enabling re-entry after patching—already affected systems remain compromised The Washington Post+1Spokesman-Review+1.
🌐 Global Coordination Ongoing
CISA was first alerted on July 18, 2025, and immediately collaborated with Microsoft and researchers to contain the attack The Straits Times+2The Washington Post+2Spokesman-Review+2. Agencies across the U.S., Canada, Australia, Europe, and Asia are now investigating breach impacts and sharing defenses.
📝 Urgent Call to Action
All organizations running on‑premises SharePoint servers should:
-
Immediately apply Microsoft’s released patch.
-
Isolate servers if patching isn’t feasible.
-
Monitor logs for suspicious spoofing or credential misuse.
-
Update cybersecurity protocols to respond to post‑breach threats.
