Microsoft Blames ‘China-Based Threat Actor’ for SharePoint Attacks – Source: www.techrepublic.com

One Microsoft’s recent SharePoint patches, released on July 18, failed to fully mitigate the security vulnerabilities it was designed to prevent, prompting the company to issue additional fixes. A Microsoft spokesperson confirmed the issue and said new security updates had been rolled out to better contain the threat.

Moreover, the Microsoft Threat Intelligence team confirmed at least three Chinese hacking groups are responsible for exploiting the SharePoint vulnerabilities.

A post by Microsoft Threat Intelligence reads, in part: “Microsoft has observed two named Chinese nation-state actors, Linen Typhoon and Violet Typhoon exploiting these vulnerabilities targeting internet-facing SharePoint servers. In addition, we have observed another China-based threat actor, tracked as Storm-2603, exploiting these vulnerabilities.”

SharePoint vulnerabilities under active attack

Microsoft initially issued updates to address two security vulnerabilities:

• CVE-2025-49704: This remote code execution (RCE) vulnerability allows hackers to access SharePoint and other Windows services, including Microsoft Outlook, OneDrive, and Teams. Once accessed, the hacker can even use RCE to deploy malicious code on the target system.
• CVE-2025-49706: An improper authentication vulnerability that enables attackers to access on-premises servers that currently host Microsoft SharePoint.

Following the discovery of additional zero-day vulnerabilities, Microsoft identified two more actively exploited vulnerabilities:

• CVE-2025-53770: This vulnerability allows hackers to bypass authentication checks and credential verifications when transmitting data.
• CVE-2025-53771: With this vulnerability, hackers can spoof the credentials of authenticated users to generate data payloads that appear to originate from legitimate sources.

Microsoft released updated security patches for SharePoint Server Subscription Edition, 2019, and 2016 to address the broader threat landscape.

Chinese APTs behind exploitation campaign

Three China-linked hacking groups have been implicated in the ongoing exploitation of SharePoint security vulnerabilities. These groups include:

• Linen Typhoon: This hacking group has conducted intellectual property theft since being first detected in 2012. Most of their cyberattacks target organizations in government, defense, human rights, and other sectors.
• Violet Typhoon: First detected in 2015, Violet Typhoon primarily engages in espionage. Although they sometimes target individuals, particularly government officials and military personnel, they also attack organizations in higher education, media, finance, and health care.
• Storm-2603: While Microsoft only has “medium confidence” that Storm-2603 is based in China, they display many of the same habits as Linen and Violet Typhoon, including the exploitation of the latest SharePoint vulnerabilities. At the time of this writing, Storm-2603 has not been linked to the two other groups.

Protecting your system from future threats

The team at Microsoft moved diligently to update SharePoint after the new exploits were found. However, given the longevity of these three hacking groups in particular, they will likely devise new hacks, exploits, and workarounds to circumvent security controls and continue their attacks. To protect against potential future threats, Microsoft recommends installing the latest software updates as soon as they’re available to the public.

Curious how deep the US crackdown on Chinese cyber espionage goes? Read our breakdown of the DOJ’s case against elite hackers linked to state-sponsored attacks.