Microsoft is investigating a potential breach in its confidential security program that may have left over 400 networks vulnerable to cyberattacks by Chinese hackers.
Why it matters: The incident has affected numerous organizations, including crucial U.S. government agencies like the National Nuclear Security Administration, and could significantly damage partner trust in Microsoft’s security protocols.
The details:
- The focus of the investigation is the Microsoft Active Protections Program (MAPP), which shares early information on vulnerabilities with select cybersecurity vendors under strict non-disclosure agreements.
- Vulnerabilities were first disclosed in May 2025 at a cybersecurity conference, and Microsoft alerted its MAPP partners between late June and early July.
- On July 7, just one day before Microsoft issued public patches, hackers began exploiting the vulnerabilities, leading to suspicions of a leak from within the MAPP network.
- The flaws in SharePoint allowed attackers to bypass login checks, execute malicious code remotely, steal cryptographic keys, extract sensitive data, and remain hidden even after system restarts.
Microsoft has linked the attacks to three China-affiliated groups: Linen Typhoon, Violet Typhoon, and Storm-2603.
What they’re saying:
- Cybersecurity experts cite the timing of the attacks as a critical factor, making it unlikely that the breach occurred by coincidence.
- Microsoft maintains that MAPP is a vital component of its security protocol, though any confirmed breach would significantly damage partner trust.
- Cybersecurity agencies in the U.S. and Europe have issued alerts urging organizations to patch SharePoint systems and monitor for signs of compromise.
The other side: Despite the potential breach, Microsoft’s stock has remained stable in recent sessions, but investors are expected to closely monitor any potential fallout in future earnings or government contract reviews.
What’s next: As Microsoft continues to grow in the cloud and defense sectors, its handling of this incident will be crucial for future risk assessments. The company has committed to reviewing the incident and reinforcing the program’s security measures.
Recent from X
📢 Kaspersky Global Research and Analysis Team (GReAT) experts have conducted a detailed analysis of ToolShell—a cluster of Microsoft SharePoint vulnerabilities that attackers are actively exploiting.
🔍 ToolShell flaws originate from an incomplete fix for CVE-2020-1147, first… pic.twitter.com/5bcaKhKc78
— Kaspersky (@kaspersky) July 28, 2025
The "no shell" activity cluster was seen exploiting the SharePoint vuln on 17th – one day ahead of others – using no filesystem artifacts. Very cool finding by @TomHegel and friends at @LabsSentinel #toolshell #noshell Link to the blog below -> pic.twitter.com/Dh7Dc1wbF0
— Costin Raiu (@craiu) July 26, 2025
⚡ Zero-days exploited. State-backed schemes exposed. Ransomware shifts.
From insider arrests to AI-powered fraud, here’s what mattered in cyber this week—no fluff, just the signal.
🧵 Read now ↓ https://t.co/vbINMgYPrG
— The Hacker News (@TheHackersNews) July 28, 2025
🛑 In case you missed it — Over 4,600 attacks. 300+ orgs hit.
A China-linked threat group is exploiting SharePoint flaws to drop Warlock ransomware on unpatched systems.
Patch now. Details here → https://t.co/t2e0yr6nUm
— The Hacker News (@TheHackersNews) July 26, 2025
