Microsoft Corp. is currently investigating a potentially severe security breach within its proprietary early alert system, the Microsoft Active Protections Program (MAPP), as Chinese state-sponsored hacking groups continue to exploit newly discovered vulnerabilities in its SharePoint server software. The incident raises serious concerns about the integrity of a program designed to give cybersecurity defenders a crucial head start against emerging threats.
The investigation was launched after a surge of sophisticated attacks targeting on-premises SharePoint servers began around July 7, just days after MAPP partners were given advance notice of critical vulnerabilities (CVE-2025-53770 and CVE-2025-53771) that Microsoft was preparing to patch. These flaws, collectively dubbed “ToolShell,” allow attackers to bypass authentication and execute remote code, granting them persistent access to compromised systems, even after patches are applied, by stealing cryptographic machine keys.
Microsoft has attributed the widespread exploitation to at least three China-based groups: Linen Typhoon, Violet Typhoon, and Storm-2603. These advanced persistent threat (APT) groups have reportedly compromised over 400 organizations worldwide, including the U.S. National Nuclear Security Administration, in a campaign that underscores the speed and sophistication of modern cyber threats.
The timing of the attacks has led cybersecurity experts to strongly suspect a leak from the MAPP program. Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, a MAPP member, stated that the “likeliest scenario is that someone in the MAPP program used that information to create the exploits.” While no specific vendor has been named, the concentration of attack origins from China points to a potential breach of non-disclosure agreements by a Chinese MAPP partner.
This is not the first time Microsoft’s early alert system has faced such scrutiny. In 2021, similar suspicions arose regarding leaks from MAPP that facilitated a global hacking campaign against Exchange servers, which Microsoft blamed on the Chinese espionage group Hafnium.
A Microsoft spokesperson affirmed that the company is “continually evaluating the efficacy and security of all our partner programs and making necessary improvements.” The incident highlights the delicate balance Microsoft must maintain in sharing critical vulnerability information to bolster collective defense, while simultaneously safeguarding against its misuse by malicious actors. The ongoing probe will be critical in determining the future of the MAPP program and the broader strategy for pre-empting zero-day attacks.
