Chinese hackers exploiting SharePoint flaws to steal data, deploy malware, says Microsoft

Chinese state-sponsored hackers are actively exploiting two critical vulnerabilities in Microsoft SharePoint servers to steal sensitive data and gain backdoor access to enterprise networks, the tech giant warned on Tuesday.

Microsoft said it had identified three threat groups, Linen Typhoon, Violet Typhoon, and Storm-2603, that have been targeting internet-facing SharePoint servers since at least July 7, exploiting flaws that allow authentication bypass and remote code execution.

Only on-premises SharePoint installations are affected by the campaign; Microsoft’s cloud-based SharePoint Online remains unaffected. The company has issued security patches and urged customers to apply them immediately to prevent further intrusions.

What are the hackers doing?

Once inside a system, the attackers deploy malicious code that grants them backdoor access and lets them steal machine encryption keys. These tools allow persistent access and control over the compromised networks, Microsoft said in its security bulletin.

Cybersecurity firm Check Point confirmed the same campaign had intensified after July 18, with multiple compromise attempts against government and private organisations in North America and Western Europe.

More from Tech

Did China-linked hackers access US nuclear secrets through Microsoft? What the flush? Microsoft wants to buy human waste. Here’s why

Who are the threat actors?

• Linen Typhoon (active since 2012): targets governments, defence entities, and human rights groups to steal intellectual property.

• Violet Typhoon (since 2015): spies on NGOs, media organisations, think tanks, and former officials in the US, Europe, and East Asia.

• Storm-2603: suspected to be China-based, has used ransomware in the past but current motives remain unclear.

The vulnerabilities exploited in this campaign allow attackers to spoof credentials and run arbitrary code remotely, making them particularly dangerous for high-value targets.

Microsoft and Check Point have both advised organisations using SharePoint Server to urgently review their exposure and apply the necessary mitigations.