Shadowserver and Eye Security reveal widespread breach; tech giant says cloud users unaffected, stock holds steady
A fresh wave of cyber espionage has hit nearly 100 organizations worldwide, cybersecurity researchers said Monday, after uncovering a stealthy hacking campaign that exploited a previously unknown flaw in Microsoft’s SharePoint software.
The vulnerability, which Microsoft confirmed as an “active zero-day exploit,” allowed hackers to infiltrate internal company servers, leaving behind potential backdoors for ongoing surveillance. The full scope of damage is still unclear — and, in some cases, likely undetected.
Zero-Day Hits Where It Hurts: Behind the Firewall
The breach centers on self-hosted versions of Microsoft SharePoint — enterprise collaboration software used by governments, corporations, law firms, and hospitals to manage internal documents and workflow systems.
Because many organizations run SharePoint on-premises, rather than through Microsoft’s cloud, the security burden falls on the users themselves. And this time, attackers found a hole no one knew existed.
“They didn’t go after flashy systems or high-profile targets,” said Vaisha Bernard, chief hacker at Netherlands-based Eye Security. “They hit the quiet stuff — servers that companies assume are safe behind a firewall. That’s why this worked.”
Bernard’s firm first spotted the suspicious activity on Friday when a European client reported unexplained data transfers. Working with the U.S.-based Shadowserver Foundation, a nonprofit that scans internet-connected infrastructure for malware and intrusions, researchers confirmed the attack had affected nearly 100 organizations.
That number, they said, is almost certainly a low estimate.
No Names Yet, but It’s Global
So far, neither Eye Security nor Shadowserver has released the names or sectors of the organizations affected, citing ongoing containment efforts. But early reports suggest targets span North America, Europe, and parts of Asia — and include both private companies and government entities.
The attack leveraged a flaw in the code that lets attackers inject malicious scripts through a backend interface of SharePoint’s document library function. Once inside, they could create administrative-level accounts or install web shells to maintain persistent access.
“It’s the kind of breach that doesn’t scream from the rooftops,” said Jon DiMaggio, chief security strategist at Analyst1. “It whispers. And those are the hardest to detect — because by the time you hear it, they’re already in.”
Microsoft Responds, Market Shrugs
Microsoft moved quickly, issuing a security advisory on Saturday that acknowledged the attacks and urged on-prem SharePoint users to implement mitigation steps. The company said its cloud-based SharePoint Online services were unaffected.
Here’s how Microsoft’s response unfolded:
-
Saturday, July 20: Microsoft issues an out-of-cycle alert warning of “active exploitation” and urges patching
-
Sunday, July 21: Security firms begin scanning for exposed instances; findings shared privately with CERTs
-
Monday, July 22: Public disclosure confirms nearly 100 compromised organizations
Despite the revelation, Microsoft stock held steady in Monday trading, down just 0.3% by close. Analysts said investors are used to hearing about cyber incidents — and with Microsoft’s cloud business shielded, broader business impact seemed limited.
Still, reputational risks remain.
“Even if Microsoft isn’t technically at fault for patching speed, this hurts trust,” said Laura Cheng, a senior analyst at Evercore ISI. “Zero-days targeting core enterprise software are a nightmare scenario — not just for the victims, but for anyone trying to sell digital transformation.”
So, Who’s Behind It?
That’s still a mystery. But suspicions are already swirling around a handful of well-known players in the cyber espionage world — particularly China, Russia, and Iran.
Researchers haven’t attributed the attack publicly yet, but the stealth, patience, and scope resemble tactics seen in state-sponsored operations. In particular, the breach echoes methods used in the 2021 Hafnium attack, which targeted Microsoft Exchange servers globally and was later attributed to Chinese intelligence units.
That said, nothing’s confirmed — and the list of sophisticated threat actors is only growing.
“We’re not ruling anything out,” Bernard said. “But this doesn’t feel like a ransomware gang. This was about access — not chaos.”
What Makes This One Different?
There are plenty of cyberattacks each year. But this one stands out.
Here’s why:
-
Silent entry: Attackers didn’t crash systems or encrypt data. They snuck in and watched.
-
Long dwell time: Experts believe many victims were compromised for weeks before detection.
-
Server-side focus: Unlike phishing or endpoint attacks, this targeted back-end architecture — hard to audit, harder to patch.
-
No ransom: So far, there’s no sign the hackers want money. That makes it espionage, not extortion.
“It’s classic cyber tradecraft,” said Dmitri Alperovitch, chairman of Silverado Policy Accelerator. “Slip in through the server room, exfiltrate what you need, and disappear before the janitor notices the door’s been jimmied.”
What’s Next for Victims?
For now, organizations running SharePoint on-prem are being urged to inspect access logs, update antivirus signatures, and deploy Microsoft’s recommended patches as soon as possible.
A broader industry advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is expected within the next 24 hours. Meanwhile, threat hunting firms are scanning for lingering web shells and unusual traffic patterns among known victims.
Eye Security said it would begin private briefings with its clients this week to walk through containment and clean-up procedures.
“The hard part isn’t removing the malware,” said Bernard. “It’s knowing what they took — and for how long they were watching.”
