A widespread cyber espionage operation targeting Microsoft server software has compromised approximately 100 organizations globally, cybersecurity researchers revealed this week. The sophisticated attack exploited a critical vulnerability in self-hosted Microsoft SharePoint servers, impacting a diverse range of entities including major industrial firms, banks, auditors, healthcare companies, and several U.S. state-level and international government entities.
The breach, which was first detected by Netherlands-based cybersecurity firm Eye Security on Friday, July 18, 2025, quickly escalated into a significant concern for global cybersecurity. Vaisha Bernard, chief hacker at Eye Security, stated that an internet scan conducted in collaboration with the Shadowserver Foundation uncovered the nearly 100 victims, even before the exploitation technique became widely known.
Microsoft had issued an alert on Saturday, July 19, about “active attacks” on self-hosted SharePoint servers and subsequently released security updates. However, it appears that the initial patches were bypassed by the attackers, allowing for continued exploitation. The vulnerability, dubbed “ToolShell” by researchers, is particularly dangerous as it grants unauthenticated access to SharePoint servers and allows attackers to steal cryptographic keys, providing persistent access even after patching or system reboots.
While the identities of the affected organizations have not been publicly disclosed, reports indicate that most victims are located in the United States and Germany, with government organizations prominently featured among the compromised. Google’s Threat Intelligence Group has tied at least some of the hacks to a “China-nexus threat actor,” though Beijing routinely denies involvement in such operations. The FBI and Britain’s National Cyber Security Centre have confirmed awareness of the attacks and are working with their partners.
This incident marks a critical moment for organizations relying on on-premises SharePoint servers. Experts caution that simply applying the latest patches may not be enough, as attackers have demonstrated the ability to maintain access through backdoors and modified components. Cybersecurity firms are urging affected entities to undertake complete threat assessments, including credential rotation and thorough system auditing, to ensure full remediation and prevent future intrusions. The incident underscores the ongoing challenge of securing enterprise infrastructure against increasingly sophisticated cyber threats.
![Online Scam Cases Continue to Rise Despite Crackdowns on Foreign Fraud Networks [Myanmar]](https://sumtrix.com/wp-content/uploads/2025/06/30-12-120x86.jpg "Online Scam Cases Continue to Rise Despite Crackdowns on Foreign Fraud Networks [Myanmar]")
