Microsoft Confirms Chinese Hackers Targeted SharePoint in Latest Cyber Espionage Wave
Microsoft has revealed that multiple China-linked hacking groups have been actively exploiting a vulnerability in its SharePoint collaboration platform.
According to a blog post by the tech giant, malicious activity tied to the Chinese threat actors known as Linen Typhoon, Violet Typhoon, and Storm-2603 began as early as July 7. These groups have attempted to leverage the software flaw in coordinated attacks.
Charles Carmakal, CTO of Google-owned cybersecurity firm Mandiant, echoed this concern in a LinkedIn update, stating that they believe at least one of the attackers involved is affiliated with China-based cyber operations.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) acknowledged the active exploitation on Sunday. In response, Microsoft released patches for two on-premises SharePoint versions over the weekend and a third fix on Monday.
SharePoint plays a critical role in enterprise workflows, serving as a central hub for document sharing and internal collaboration across organizations using Microsoft Office products.
This breach follows heightened scrutiny over Microsoft’s cybersecurity practices. Last year, a government review criticized the company for its handling of a breach involving Chinese actors accessing U.S. officials’ email accounts. In response, Microsoft CEO Satya Nadella reaffirmed the company’s commitment to strengthening its cyber defenses.
More recently, Microsoft announced it would reduce reliance on its China-based engineers for supporting U.S. Department of Defense cloud infrastructure, after concerns were raised about potential risks of foreign interference.
This isn’t the first time Chinese-linked attackers have targeted Microsoft tools. In 2021, the group known as Hafnium exploited vulnerabilities in Microsoft Exchange Server—used for business email and calendar services—causing widespread disruption.
