Microsoft has raised alarms about an active cyberattack that is targeting on-premises SharePoint servers used by government agencies and businesses around the world.
The company is urging customers to apply its latest security updates immediately to stop further damage.
According to Microsoft, the attacks do not affect cloud-based SharePoint Online accounts within Microsoft 365. Only physical servers inside organizations are vulnerable.
The tech company said it is working with key partners like the FBI, the US Cybersecurity and Infrastructure Security Agency (CISA), and international cyber defense teams to respond to the threat.
"We've been coordinating closely with CISA, DOD Cyber Defense Command and key cybersecurity partners globally throughout our response," a Microsoft spokesperson said.
According to Reuters, the exploit involves a serious vulnerability that allows hackers to fake trusted users or services—a method known as "spoofing."
This lets attackers gain unauthorized access and steal sensitive data. Microsoft said attackers can remain inside systems even after security updates if backdoors are created.
🚨BREAKING: MICROSOFT HIT BY MASSIVE CYBERATTACK - STATE SECRETS, CRYPTO KEYS, AND GOVT DOCS STOLEN
— HustleBitch (@HustleBitch_) July 21, 2025
Hackers tore into SharePoint and nuked the vault ripping through U.S. agencies, EU servers, and global telecoms.
They stole everything… then vanished.
Thousands still haven’t… pic.twitter.com/tcRvFMUEoE
Read more: From Microsoft to Palantir: How Abhigyan Khaund Designs Infrastructure Built to Withstand Failure
Microsoft Faces New Zero-Day Attack Targeting SharePoint Servers
Gene Yu, CEO of Singapore-based cyber firm Blackpanda, said, "When they're able to compromise the fortress that is SharePoint, everybody is kind of at their whim because that is one of the highest security protocols out there."
Cybersecurity researchers, including Silas Cutler from Censys, estimate that over 10,000 organizations with SharePoint servers could be at risk.
The largest number of vulnerable servers is in the U.S., followed by the Netherlands, the UK, and Canada.
Hackers have already launched attacks on US federal and state agencies, energy companies, universities, and at least one Asian telecom firm, according to TheWashingtonPost.
The breach was first spotted by researchers at Eye Security, who noted the hackers may be stealing keys to impersonate users—even after systems are patched.
Security experts say this is a "zero-day" exploit—meaning attackers found and used the flaw before Microsoft or others even knew it existed.
Companies that can't immediately apply Microsoft's recommended fixes are being advised to take their servers offline to reduce risk, Bloomberg said.
Palo Alto Networks called the attack "a serious threat," and Google's threat team said the flaw could provide "unauthenticated, persistent access."
Microsoft declined to provide further comment beyond its initial alert, but said it is working on updates for older SharePoint versions like 2016 and 2019.
This is the latest in a series of cyberattacks against Microsoft, including a high-profile breach in 2023 that affected US government officials and agencies.
Join the Conversation