Hackers exploited a critical vulnerability in Microsoft’s SharePoint collaboration software to launch a sweeping cyberattack on government and business targets worldwide, according to state officials and private researchers. The breach affected U.S. federal and state agencies, universities, energy firms, and a telecommunications provider in Asia.
Governments in the U.S., Canada, and Australia are now investigating the breach, which impacted SharePoint servers used for managing and sharing documents. Experts say tens of thousands of servers are at risk. Microsoft has not yet issued a patch, forcing affected organizations across the globe to scramble for short-term solutions.
“This is a zero-day attack,” a term used for cyber intrusions that exploit previously unknown software flaws. It’s the latest in a string of cybersecurity failures tied to Microsoft. A similar 2023 incident involving a China-based hack of U.S. government emails—including those of then-Commerce Secretary Gina Raimondo—was blamed on the company’s lapses.
The current exploit affects only on-premises SharePoint servers, not cloud-based systems like Microsoft 365, officials noted. Microsoft has advised users to alter server configurations or disconnect them from the internet as a temporary fix. “Anybody who’s got a hosted SharePoint server has got a problem,” said Adam Meyers, senior vice president at cybersecurity firm CrowdStrike. “It’s a significant vulnerability.”
Microsoft has alerted customers but declined further comment. The FBI also did not immediately respond to requests for information.
“We’re seeing attempts to exploit thousands of SharePoint servers globally before a patch is available,” said Wendi Renals, senior manager at Palo Alto Networks’ Unit 42. “We have identified dozens of compromised organizations spanning both commercial and government sectors.”
Gaining access to SharePoint servers, which often connect to services like Outlook and Microsoft Teams, could enable hackers to steal sensitive information and harvest passwords, according to Dutch cybersecurity firm Eye Security. Researchers are also concerned that attackers have secured cryptographic keys that may let them return even after a patch is applied. “Pushing out a patch on Monday or Tuesday doesn’t help anybody who’s been compromised in the last 72 hours,” said one anonymous researcher.
It remains unclear who is behind the attack or what their motives are. One cybersecurity firm identified intrusions affecting servers in China and a U.S. state legislature. Eye Security reported more than 50 confirmed breaches, including a major utility company in the U.S. and several European government agencies.
Two U.S. federal agencies have reportedly been compromised, but researchers cited confidentiality agreements as the reason for withholding their names. A state official from the eastern U.S. said attackers had “hijacked” a public repository of documents meant to inform residents about government operations. That agency has since lost access to the data, although it was unclear whether it was deleted. “We’ll need to make these documents available again in a different repository,” the official said, speaking anonymously.
While data-wiping attacks are rare, the possibility sparked concern among officials in other states. Some cybersecurity firms reported no deletions but warned about the theft of cryptographic keys that could allow repeated intrusions.
In Arizona, cybersecurity officials met with state, local, and tribal agencies to assess vulnerabilities and exchange information. “There is definitely a mad scramble across the nation right now,” said one individual familiar with the response.
The attacks reportedly occurred after Microsoft patched a different flaw earlier this month. Hackers apparently adapted their methods to exploit a related vulnerability, according to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). Agency spokesperson Marci McCarthy said Microsoft was alerted on Friday by a cybersecurity firm, prompting immediate action.
Microsoft has faced criticism in the past for narrowly scoped patches that fail to fully address vulnerabilities. The company has also experienced its own security breaches in recent years, including attacks on corporate systems and executive accounts. One flaw in its cloud services enabled China-linked hackers to access emails from U.S. officials.
Earlier this week, Microsoft announced it would stop using China-based engineers on Defense Department cloud projects following a ProPublica report. The revelation led Defense Secretary Pete Hegseth to launch a review of Pentagon cloud contracts.
The nonprofit Center for Internet Security, which coordinates cyber alerts for state and local governments, notified around 100 potentially affected organizations, said vice president Randy Rose. Among them were public schools and universities. The alert process took six hours—longer than expected—due to a 65 percent funding cut to CISA’s incident-response teams.
McCarthy confirmed that CISA, which is currently led by an acting director while nominee Sean Plankey awaits confirmation, has been “working around the clock” on the crisis. “No one has been asleep at the wheel,” she said.
Researchers said additional breached entities include a government agency in Spain, a local agency in Albuquerque, and a city in Brazil.
Sarah Ellison, Aaron Schaffer, and Joseph Marley contributed to this report.
