Major Cybersecurity Alert: SharePoint Servers Under Attack🚨‼️

A serious cybersecurity threat is currently affecting businesses across the United States. A critical vulnerability in Microsoft SharePoint servers has become a target for cybercriminals and sophisticated nation-state groups since mid-July 2025. This threat, nicknamed "ToolShell," poses significant risks to local businesses, government offices, and organizations that use SharePoint systems.

What is SharePoint and Why Should You Care?

Microsoft SharePoint is like a digital filing cabinet and collaboration space that many businesses use to store documents, share information, and work together on projects. Think of it as a secure website where your company keeps important files, customer information, financial records, and other sensitive business data. Many businesses, from small accounting firms to large manufacturing companies, rely on SharePoint to run their daily operations.

What's Happening Right Now?

On July 19, 2025, Microsoft confirmed that vulnerabilities known as "ToolShell" were being actively exploited. In simple terms, cybercriminals have discovered a way to break into SharePoint systems without needing passwords or permission. It's like finding a secret door that lets them walk right into your business's digital vault.

The scope is serious: Security firm Eye Security has identified over 400 compromised SharePoint systems across multiple attack waves, with victims including U.S. federal agencies, universities, and energy companies.

Who's Behind These Attacks?

Microsoft has specifically identified three China-aligned threat groups exploiting the vulnerabilities: Linen Typhoon, Violet Typhoon, and Storm-2603. These aren't just individual hackers; these are sophisticated, well-organized groups with significant resources. Most concerning is the involvement of LuckyMouse (APT27), a sophisticated Chinese cyber-espionage group that primarily targets governments, telecommunications companies, and international organizations.

What makes this particularly dangerous is that Storm-2603 has begun deploying Warlock ransomware using these vulnerabilities. This means attackers aren't just stealing information, they're also locking up business systems and demanding payment to restore access.

How Bad Is This Vulnerability?

Security experts rate this threat as extremely serious with a CVSS score of 9.8, indicating near-maximum severity. The vulnerability is particularly dangerous because:

// Zero-Day Status: It was previously unknown and unpatched

// No Authentication Required: Attackers can exploit ToolShell without needing valid credentials

// Remote Code Execution: Successful exploitation grants attackers the ability to execute arbitrary code on the compromised SharePoint Server

To put this in perspective, imagine if someone discovered that every lock of a certain brand could be opened with a master key, and criminals were already using this knowledge before the lock company could warn anyone.

What Systems Are at Risk?

These attacks specifically target on-premises Microsoft SharePoint servers running SharePoint Subscription Edition, SharePoint 2019, or SharePoint 2016, while SharePoint Online in Microsoft 365 remains unaffected.

Important: If your business uses SharePoint through Microsoft's cloud service (Microsoft 365), you're likely safe. The danger is for businesses that run their own SharePoint servers on their premises.

What Can Attackers Do Once They're In?

The vulnerability allows attackers to bypass multi-factor authentication and single sign-on protections. Once inside, criminals can:

// Steal sensitive business information like customer data and financial records

// Install malicious software for permanent access

// Spread to other connected systems in your network

// Lock up your files and demand ransom

// Use your systems to attack others

What makes this particularly dangerous is SharePoint's integration with other Microsoft services, including Office, Teams, OneDrive, and Outlook, potentially granting attackers extensive access across compromised networks.

What's Being Done About It?

Microsoft has released emergency security updates for all affected SharePoint versions as of July 22, 2025. The U.S. Cybersecurity and Infrastructure Security Agency has added CVE-2025-53770 to its Known Exploited Vulnerabilities catalog, requiring federal agencies to apply patches immediately.

However, experts warn that patching alone is insufficient – organizations must also rotate ASP.NET machine keys and restart IIS services to fully evict attackers.

What Should Your Business Do Right Now?

Immediate Actions:

// Determine if you're at risk: Contact your IT support team to find out if your business uses on-premises SharePoint servers. If unsure, assume you might be at risk.

// Install security updates immediately: Microsoft has released security updates to address ToolShell for SharePoint Subscription and 2019 versions.

// Limit internet access: Restrict access to on-premises SharePoint Servers from the public internet whenever possible.

// Check for signs of compromise: Look for unusual activity like unknown files, slow performance, or unexpected system behavior.

Don't Wait - Act Today

Security experts predict continued exploitation attempts against unpatched systems for months to come. Every day you wait increases the risk that criminals will break into your systems.

The Bottom Line

Organizations running on-premises SharePoint servers are strongly advised to assume compromise and implement comprehensive incident response procedures beyond simple patching. This means treating this not just as a software update, but as a potential security incident requiring thorough investigation.

Cybersecurity threats affect businesses of all sizes. By staying informed, taking prompt action, and working with qualified IT professionals, your business can protect itself against these evolving threats. The cost of prevention is always less than the cost of recovery from a successful cyberattack.