Microsoft Races to Contain SharePoint Hack Impacting Global Institutions

By Staff, Agencies

Hackers have exploited a major security flaw in Microsoft’s SharePoint software, breaching government systems, businesses, and other organizations worldwide in what cybersecurity experts are calling a critical global threat.

Microsoft issued an emergency patch over the weekend and continues to roll out fixes after confirming that attackers are targeting on-premise SharePoint servers to gain unauthorized access and execute malicious code.

According to CrowdStrike and Google’s Mandiant Consulting, multiple hacking groups are exploiting the flaw. Among the compromised entities are national governments in Europe and the Middle East, the US Department of Education, Florida’s Department of Revenue and the Rhode Island General Assembly. Affected systems have seen the theft of credentials such as usernames, passwords and authentication tokens.

Cybersecurity researchers warn that the threat is especially serious because of SharePoint’s integration with other Microsoft services like Teams, Office, OneDrive and Outlook, which could give attackers access to entire organizational networks. “This is a high-severity, high-urgency threat,” said Michael Sikorski of Palo Alto Networks, warning that a breach could cascade across all Microsoft-linked platforms.

Tens of thousands of organizations rely on SharePoint to store and manage documents. Microsoft said the attacks primarily target servers run on-premise rather than those hosted by Microsoft itself, potentially narrowing the scope but still leaving thousands at risk. Cybersecurity firm Censys estimated over 10,000 companies could be vulnerable, particularly in the US, Netherlands, UK and Canada.

The attacks have renewed scrutiny of Microsoft’s overall cybersecurity posture. A 2024 US government report criticized the company's security culture, prompting Microsoft to hire former government experts and hold weekly executive meetings focused on resilience. Despite earlier patches issued in July, hackers found new ways to bypass them, exploiting related vulnerabilities that remained open.

Eye Security, the firm that first detected the wave of cyberattacks starting July 12, said hackers have found methods to maintain persistent access to systems even after updates. These include deploying backdoors and altering components to survive reboots. So far, at least 50 servers have been confirmed compromised out of 8,000 scanned globally, with targets including multinational companies and government entities in North and South America, Europe, South Africa, and Australia.

The Center for Internet Security warned that more than 1,100 SharePoint servers used by US state and local governments are vulnerable, with at least 100 likely already breached. The ongoing fallout underscores the severity of the situation and the urgent need for global institutions to secure their systems against further exploitation.