UPDATE: A major cyber espionage operation has been confirmed to compromise approximately 100 organizations worldwide, targeted via vulnerabilities in Microsoft server software. Cybersecurity experts are raising alarms following Microsoft’s urgent alert regarding “active attacks” on self-hosted SharePoint servers, a critical tool for document sharing and collaboration among various organizations.
The Australian Signals Directorate (ASD) and the Australian Cyber Security Centre (ACSC) issued an alert on July 20, 2025, warning organizations to take immediate action against a newly discovered vulnerability affecting Microsoft Office SharePoint Server products. SharePoint instances running off Microsoft servers were reportedly not affected, but the implications for those utilizing self-hosted solutions are dire.
Vaisha Bernard, Chief Hacker at Eye Security, a cybersecurity firm based in the Netherlands, disclosed that an internet scan conducted with the Shadowserver Foundation revealed nearly 100 victims. This was before the hacking technique became widely known. “It’s unambiguous,” Bernard stated. “Who knows what other adversaries have done since to place other backdoors?”
The Shadowserver Foundation confirmed that most of the compromised organizations are located in the United States and Germany, and included government entities. Experts suggest that the spying activity is likely the work of a singular hacker or a group of hackers, but the situation could escalate rapidly. Rafe Pilling, Director of Threat Intelligence at Sophos, cautioned, “It’s possible that this will quickly change.”
Microsoft has responded by providing security updates and urging all customers to install them immediately. A company spokesperson emphasized the urgency of the situation in an emailed statement. Meanwhile, the FBI announced that it is aware of the situation and is collaborating with federal and private-sector partners to investigate further.
In the United Kingdom, the National Cyber Security Centre has acknowledged a limited number of targets affected by this attack. Researchers tracking the campaign suggest it initially focused on specific government-related organizations, but the potential target pool remains vast. Data from Shodan indicates that over 8,000 servers could theoretically be compromised, including major industrial firms, banks, and healthcare companies.
Daniel Card from UK cybersecurity consultancy PwnDefend remarked, “The SharePoint incident appears to have created a broad level of compromise across a range of servers globally.” He added that adopting an “assumed breach” approach is prudent, and simply applying patches may not be enough to secure vulnerable systems.
The urgency of this situation cannot be overstated. Organizations globally must act swiftly to mitigate risks and protect sensitive data from potential breaches. As the investigation unfolds, cybersecurity experts continue to monitor the situation closely, urging immediate vigilance.
For more updates on this developing story, stay tuned.
