Microsoft is once again in the cybersecurity spotlight, acknowledging Tuesday morning that hackers linked to China are among those exploiting vulnerabilities in on-premises SharePoint software, the latest in a string of security problems that have plagued the tech giant.
The company has moved quickly to patch the vulnerabilities over the past few days, saying Tuesday that security updates are now available for all supported versions of its SharePoint Server software. It’s urging customers to “apply these updates immediately to ensure they are protected.”
“With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems,” the company warned in the post on its security blog.
The incident is the latest test of Microsoft’s cybersecurity overhaul, known as the Secure Future Initiative. Launched amid a series of damaging nation-state attacks — and escalated after a critical Cyber Safety Review Board report — the program aims to improve the security of Microsoft’s engineering and reduce the risk of breaches.
CEO Satya Nadella has declared security the company’s top priority, and Microsoft has tied a portion of executive compensation to measurable progress. But the continued emergence of high-impact vulnerabilities — especially in legacy on-premises systems — underscores the scale of the challenge and the urgency of the reforms.
At the same time, Microsoft is expanding its security infrastructure products for customers in the cloud. On Tuesday, the company announced a public preview of the Microsoft Sentinel data lake, a new cloud platform designed to help organizations retain and analyze massive volumes of security data.
Microsoft says the data lake eliminates silos and enables deeper analytics that could help detect long-dwelling or “low and slow” attacks. The release reflects the company’s broader strategy to modernize threat detection and response, especially for customers shifting away from legacy on-premises systems.
The latest developments in the SharePoint vulnerability follow a weekend of emergency patching across government and corporate systems, after the initial reports of exploits emerged.
The company on Tuesday identified three China-linked groups behind the attacks: Linen Typhoon and Violet Typhoon, both established Chinese state actors, along with Storm-2603, another China-based threat actor.
Microsoft said its analysis suggests the exploitation attempts began as early as July 7, nearly two weeks before the vulnerabilities were publicly disclosed on July 19.
The fallout has been lessened in part by the fact that the vulnerability doesn’t impact cloud-based Microsoft 365 systems.
Microsoft issued patches on July 8 to address related SharePoint vulnerabilities, but attackers later developed new exploits that bypassed those protections by leveraging additional flaws. However customers who applied Microsoft’s prior patches and diligently followed its security guidance were less likely to be impacted.
Among other steps, the company is recommending that customers rotate their cryptographic keys, after detecting signs that hackers are using malicious scripts to retrieve MachineKey data, which could allow them to retain access to systems even after patches are applied. Read the Microsoft post for full technical details.
