SharePoint zero-day hack hits hard

A critical zero-day vulnerability in server-based versions of Microsoft SharePoint earlier this week sparked a sophisticated and rapidly escalating cyberattack, impacting organisations worldwide. 

Since early July 2025, cybersecurity researchers have observed a surge in malicious activity targeting on-premises SharePoint deployments. The attack chain, known as “ToolShell,” leverages two previously unknown vulnerabilities, CVE-2025-53770 (remote code execution) and CVE-2025-53771 (authentication bypass), causing severe concern among IT and security leaders globally.

Dutch cybersecurity company Eye Security said on Tuesday that it had detected around 400 organisations that had been breached due to the exploit, including the US National Nuclear Security Administration. Earlier this week, cybersecurity researchers estimated 9,000 externally accessible SharePoint servers were vulnerable to the exploit. Many New Zealand businesses continue to run their own servers hosting SharePoint installations.

Authorities in Australia and New Zealand have taken urgent notice of the threat, with both the Australian Cyber Security Centre (ACSC) and our own National Cybersecurity Centre issuing high-priority alerts. Organisations are urged to immediately apply available patches, disconnect vulnerable servers from the internet if possible, and validate all finance-related workflows for signs of tampering or breach.

Crucially, only on-premises SharePoint servers are at risk; Microsoft 365 SharePoint (the cloud version) remains unaffected. While Microsoft issued patches for two of the three affected versions of SharePoint Server relatively quickly, the fixes require a hands-on response from IT teams all over the world. 

By mid-July 2025, reports confirmed active exploitation attempts as early as July 7, with a pronounced wave of attacks on July 18 and 19. Analysts estimate that over 9,000 externally accessible SharePoint servers are potentially at risk, spanning critical sectors such as government, telecommunications, financial services, healthcare, and software.

Threat actors behind this campaign include advanced groups with ties to Chinese nation-state interests. Microsoft and Google both linked the attacks to “Linen Typhoon” and “Violet Typhoon,” groups known for stealing intellectual property and conducting espionage, as well as to “Storm-2603,” a group with a history of ransomware operations. 

While the earliest targets were strategically selected, focusing on Western governments and multinational firms, the attack has quickly widened in scope as more details of the vulnerability became public.

How the attack works

Attackers exploit the vulnerability by sending crafted HTTP POST requests to exposed SharePoint endpoints, deploying malicious web shells such as “spinstall0.aspx.” This web shell allows for authentication bypass, remote command execution, and more critically, the extraction of MachineKey values (ValidationKey and DecryptionKey) from affected servers. Possession of these cryptographic secrets enables attackers to:

- Forge authentication or session tokens to gain persistent, unauthorised access,

- Execute arbitrary code remotely within affected environments,

- Exfiltrate sensitive files and data,

- Maintain deep lateral movement across interconnected networked systems, including Teams, OneDrive, and Outlook in some cases.

For organisations relying on SharePoint Server for internal collaboration, the implications are far-reaching. Attackers can steal confidential documents and intellectual property, manipulate financial records or payment workflows, compromise business email systems, and insert persistent backdoors for future attacks.

Widespread use, slow patching

The extensive reliance on on-premises SharePoint among businesses and government in Australasia means that many critical infrastructures are at stake. Updates to patch the vulnerabilities were only partially available in the initial days of the attack, with some servers (e.g. SharePoint 2016) left temporarily unprotected.

Security experts warn that even brief delays in applying mitigations may allow attackers to implant long-term persistence mechanisms, making full remediation significantly more complex.

Visit Microsoft for the latest security guidance relating to the SharePoint exploit.