Microsoft has confirmed that several China-backed hacking groups have exploited vulnerabilities in its SharePoint document management software, targeting businesses and institutions around the world.
The attacks focused on on-premises SharePoint servers, the type managed directly by organisations, rather than Microsoft’s cloud-based service.
The threat actors involved, named Linen Typhoon, Violet Typhoon and Storm-2603, used flaws in SharePoint to extract cryptographic key material, giving them continued access to internal data systems.
According to Microsoft, the campaign has affected organisations across multiple industries and geographies, with attackers primarily aiming to steal sensitive information and maintain access over time.
Linen Typhoon has a long history of targeting government bodies, defence contractors and human rights organisations. Violet Typhoon is known to focus on espionage against former government personnel, non-profits, universities, financial services and healthcare institutions across the West and East Asia. Storm-2603, a less familiar group, is believed to operate from within China and follows similar targeting patterns.
Once inside, the attackers were able to bypass normal security processes by using stolen encryption material. This allowed them to re-enter compromised systems without detection. Microsoft said the activity occurred before patches were made available, which made the initial wave of attacks broad and highly opportunistic.
The company has since released security updates and urged all customers running on-premises SharePoint to apply the patches immediately. Systems that remain unpatched are still considered at risk.
Microsoft has stated that its investigation is ongoing and more actors could be involved. Updates will be posted on its official threat intelligence channels as more details emerge.
This security breach highlights the continued threat posed by state-backed hacking groups and the risks faced by organisations using legacy infrastructure.