A newly discovered cyber espionage campaign exploiting a previously unknown vulnerability in self-hosted Microsoft SharePoint servers has compromised around 100 organizations as of last weekend, according to Eye Security and the Shadowserver Foundation.
The attacks leverage a “zero-day” flaw—one not previously disclosed—that allows adversaries to infiltrate exposed SharePoint instances, install backdoors, and maintain long-term access. SharePoint Online, which runs on Microsoft’s cloud servers, remains unaffected.
Vaisha Bernard, chief hacker at Netherlands-based Eye Security, revealed that a targeted breach of one of her firm’s clients on Friday prompted a comprehensive internet scan with Shadowserver. That scan identified nearly 100 vulnerable servers before details of the exploit became public. Shadowserver confirmed most victims are located in the United States and Germany and include government bodies.
Rafe Pilling, director of Threat Intelligence at British cybersecurity firm Sophos, noted that although initial forensic indicators point to a single threat actor, “it’s possible this will quickly change” as other groups may adopt the same technique.
Microsoft has issued security updates to patch the vulnerability and urged all customers running on-premises SharePoint servers to install them immediately. However, cybersecurity experts warn that patching alone is not enough; organizations should assume they have been breached, conduct thorough forensic investigations, and remove any implanted backdoors.
Google’s security team has attributed at least some of the attack activity to a “China-nexus threat actor,” although no government or group has officially claimed responsibility. The FBI and Britain’s National Cyber Security Center have confirmed awareness of the campaign and are collaborating with private and public sector partners.
