A major cyberattack has hit Microsoft’s SharePoint platforms, putting thousands of organizations at risk around the world. The attack began around July 18, 2025, and exploited a previously unknown vulnerability that allowed hackers to break into systems, steal data, and impersonate users. Importantly, a wide range of organizations were affected by the attack, including US federal and state government agencies, colleges and universities, major banks, energy companies, and government offices in other countries.
Security experts reportedly suggest that a single group is behind the attack, which has exposed more than 8,000 SharePoint servers to potential compromise. The vulnerability, known as a zero-day exploit, was said to be used by attackers to gain remote access to SharePoint servers without needing to log in through normal methods. Once inside, they were able to take control of systems, access confidential files, extract login credentials, and even pose as legitimate users within a network.
In several cases, hackers reportedly altered or deleted public documents stored on government websites. The breach has raised concerns about the security of enterprise software widely used by both public and private sectors.
Meanwhile, Microsoft also responded by releasing emergency patches for the affected SharePoint Server versions (particularly SharePoint Server 2019 and the Subscription Edition). However, organizations using SharePoint Server 2016 are still waiting for a fix, which leaves many systems at risk.
“Microsoft is aware of active attacks targeting on-premises SharePoint Server customers by exploiting vulnerabilities partially addressed by the July Security Update. These vulnerabilities apply to on-premises SharePoint Servers only. SharePoint Online in Microsoft 365 is not impacted,” the Redmond-headquartered company said.
Despite this, the software giant warned that even after applying the patch, some systems may still be vulnerable if attackers have already implanted backdoors or stolen security keys that give them continued access. Therefore, to further help protect against the new security flaws (identified as CVE-2025-53770 and CVE-2025-53771), the tech titan has also recommended turning on the AMSI integration feature in SharePoint Server, along with using Microsoft Defender across the entire SharePoint Server environment. This setup helps detect and block malicious scripts or code attackers might try to run on the server.
The US Cybersecurity and Infrastructure Security Agency (CISA), along with the FBI and Microsoft’s own security teams, are currently investigating the breach. CISA has also advised organizations to disconnect any unpatched SharePoint servers from the internet and conduct full security reviews.
This is not the first time the Satya Nadella-led company has faced a major cybersecurity crisis. In 2021, Microsoft Exchange Server was hit by a large-scale attack that compromised tens of thousands of organizations globally (including government agencies and private firms). Earlier, the SolarWinds breach revealed how hackers had inserted malicious code into a trusted software update, affecting numerous US federal agencies and major corporations. In 2024, the company again faced a major breach when the state-backed hacking group Midnight Blizzard infiltrated Microsoft’s email systems, accessing sensitive communications from executives and government-related accounts.
The timing of the latest incident becomes even more notable as it comes while the tech giant is undergoing major structural changes. The company recently shut down its ‘Movies & TV’ store after 19 years and announced 9,000 more layoffs, heavily affecting the Xbox division.
