State-Sponsored Cyberattack Targets SharePoint Servers

Prime Highlights

Chinese state-sponsored threat actors used a zero-day flaw in on-premise servers that had Microsoft SharePoint.
icrosoft fixed the problem, but the attackers continue to use systems that had not rolled over encryption keys.

Key Fact

The attack is against on-premise SharePoint servers and not cloud-based Microsoft 365.
Attackers used encryption keys so that they retained permanent access even after patches have been rolled out.

Key Background

There was a series of recent cyberattacks in which Chinese state-sponsored hackers used a zero-day vulnerability on on-premises Microsoft SharePoint servers. The attack enabled the hackers to steal cryptography keys and obtain permanent access to sensitive systems, both in the United States and in allied nations, without authorization.

Security companies such as Mandiant and Eye Security have referred to the attack as having been carried out by Chinese-based advanced persistent threat (APT) actors. The attackers had already taken advantage of the vulnerability prior to Microsoft enhancing overall security in mid-July 2025. While patches do exist, experts explain that most organizations that have been affected remain vulnerable to this due to improper key rotation or failure to conduct a full forensic analysis.

This is just one of the rising tides of state-sponsored attacks on business collaboration platforms such as the 2021 Microsoft Exchange attack, which has been attributed to Chinese attackers. With the acquisition of cryptographic signing keys, attackers were able to deploy backdoors that enabled them to regain entry into networks even after patch deployment.

Worst of all is not its magnitude. Targets, as wide-ranging as possible to pinpoint, were from U.S. federal and state government entities to energy companies, schools, and even foreign governments, pointed out reported. Early indications were of hijacked American servers connecting with Chinese IP addresses—which provided nation-state-attribution. That intrusion appearing so visibly staged indicates motivations of espionage, not economic.

It is also under attack from nation-state actors. The United States Cybersecurity and Infrastructure Security Agency (CISA) along with its Canadian and Australian counterparts thus issued these joint advisories and called for measures to be taken with the highest priority at the earliest available time. The agencies have been requested to patch vulnerable systems, rotate encryption keys, review network logs, and implement additional detection controls.

This is a call for better cyber hygiene and threat awareness across the enterprise. With attacks through software and supply chain never-ending, discipline in response and resiliency are no longer choices—these are cyber security imperatives.

State-Sponsored Cyberattack Hits On-Premise SharePoint Servers, Experts Warn of Long-Term Risks

© 2025 The Security Outlook. All Rights Reserved

Quick Links

Latest Posts

Kolekole Pass Opens as Emergency Route Amid West Oʻahu Tsunami Evacuation

Spirit Airlines to Furlough 270 Pilots and Demote 140 Captains Amid Operational Restructuring

The Surprising Advantages of AI That Are Revolutionizing Our Everyday Lives

You Might Also Like

Starbucks CEO Enforces Four-Day Office Mandate to Rebuild Culture and Accelerate Turnaround

Myntra and Google Cloud Launch AI-Powered ‘Dream Room Inspirations’ for Smarter Home Shopping

StrictlyVC Brings Global Innovation Focus to Athens and London