Hackers exploited a security flaw in common Microsoft software to breach governments, businesses and other organizations across the globe and steal sensitive information, according to officials and cybersecurity researchers.
Microsoft over the weekend released a patch for the vulnerability in servers of the SharePoint document management software. The company said it was still working to roll out other fixes after warnings that hackers were targeting SharePoint clients, using the flaw to enter file systems and execute code.
The hackers, who so far have not been identified, have already used the flaw to break into the systems of national governments in Europe and the Middle East, and to breach government agencies in U.S. states, including Florida, according to a person familiar with the matter. The person spoke on condition that they not be identified discussing the sensitive information.
Florida state representatives didn’t immediately respond to a request for comment.
The hackers also breached the systems of a U.S.-based health care provider and targeted a public university in Southeast Asia, according to a report from a cybersecurity firm. The report doesn’t identify either entity by name, but says the hackers have attempted to breach SharePoint servers in countries including Brazil, Canada, Indonesia, Spain, South Africa, Switzerland, the United Kingdom and the United States. The firm asked not to be named because of the sensitivity of the information.
In some systems they’ve broken into, the hackers have stolen sign-in credentials, including usernames, passwords, hash codes and tokens, according to a person familiar with the matter, who also spoke on condition that they not be identified discussing the sensitive information.
"This is a high-severity, high-urgency threat,” said Michael Sikorski, chief technology officer and head of threat intelligence for Unit 42 at Palo Alto Networks.
"What makes this especially concerning is SharePoint’s deep integration with Microsoft’s platform, including their services like Office, Teams, OneDrive and Outlook, which has all the information valuable to an attacker,” he said. "A compromise doesn’t stay contained — it opens the door to the entire network.”
Tens of thousands — if not hundreds of thousands — of businesses and institutions worldwide use SharePoint in some fashion to store and collaborate on documents. Microsoft said that attackers are specifically targeting clients running SharePoint servers from their own on-premise networks, as opposed to being hosted and managed by the tech firm. That could limit the impact to a subsection of customers.
"It’s a dream for ransomware operators,” said Silas Cutler, a researcher at Michigan-based cybersecurity firm Censys. He estimated that more than 10,000 companies with SharePoint servers were at risk. The U.S. had the largest number of such firms, followed by the Netherlands, the U.K. and Canada, he said.
The breaches have drawn new scrutiny to Microsoft’s efforts to shore up its cybersecurity after a series of high-profile failures. The firm has hired executives from places such as the U.S. government and holds weekly meetings with senior executives to make its software more resilient. The company’s tech has been subject to several widespread and damaging hacks in recent years, and a 2024 U.S. government report described the company’s security culture as in need of urgent reforms.
Palo Alto Networks warned that the SharePoint exploits are "real, in-the-wild, and pose a serious threat.” Google Threat Intelligence Group said in an emailed statement it had observed hackers exploiting the vulnerability, adding it allows "persistent, unauthenticated access and presents a significant risk to affected organizations.”
The Center for Internet Security, which operates a cybersecurity information sharing system for state and local governments in the U.S., found more than 1,100 servers that are at risk from the SharePoint vulnerability, said Randy Rose, the organization’s vice president of security operations and intelligence. Rose said more than 100 were likely hacked.
"When they’re able to compromise the fortress that is SharePoint, everybody is kind of at their whim because that is one of the highest security protocols out there,” said Gene Yu, CEO of Singapore-based cyber incident response firm Blackpanda.
The Washington Post reported that the breach had affected U.S. federal and state agencies, universities, energy companies and an Asian telecommunications company, citing state officials and private researchers.
Eye Security was the first to identify that attackers were actively exploiting the vulnerabilities in a wave of cyberattacks that began on Friday, said Vaisha Bernard, the company’s chief hacker and co-owner.
Eye Security said the vulnerability allows hackers to access SharePoint servers and steal keys that can let them impersonate users or services even after the server is patched. It said hackers can maintain access through backdoors or modified components that can survive updates and reboots of systems.
The SharePoint vulnerabilities, known as "ToolShell,” were first identified in May by researchers at a Berlin cybersecurity conference. In early July, Microsoft issued patches to fix the security holes, but hackers found another way in.
"There were ways around the patches,” which enabled hackers to break into SharePoint servers by tapping into similar vulnerabilities, said Bernard. "That allowed these attacks to happen.”
The intrusions, he said, were not targeted and instead were aimed at compromising as many victims as possible. After scanning about 8,000 SharePoint servers, Bernard said he has so far identified at least 50 that were successfully compromised.
He declined to identify the identity of organizations that had been targeted, but said they included government agencies and private companies, including "bigger multinationals.” The victims were located in countries in North and South America, the European Union, South Africa, and Australia, he added.
A Microsoft spokesperson declined to comment beyond an earlier statement.
Microsoft has faced a series of recent cyberattacks, warning in March that Chinese hackers were targeting remote management tools and cloud applications to spy on a range of companies and organizations in the U.S. and abroad.
The Cyber Safety Review Board, a White House-mandated group designed to examine major cyberattacks, said last year that Microsoft’s security culture was "inadequate” following the 2023 hack of the company’s Exchange Online mailboxes. In that incident, hackers were able to breach 22 organizations and hundreds of individuals, including former U.S. Commerce Secretary Gina Raimondo.
With your current subscription plan you can comment on stories. However, before writing your first comment, please create a display name in the Profile section of your subscriber account page.