Global Cyber Espionage Linked to Microsoft SharePoint Flaw
LONDON, July 22 – A recent security patch from Microsoft has not fully addressed a significant vulnerability in its SharePoint server software that was first uncovered in May. This oversight has potentially opened the door to an extensive cyber espionage campaign affecting roughly 100 organizations over the weekend.
While it’s still unclear who is orchestrating this operation, Google has indicated a connection to what they describe as a “China-nexus threat actor,” drawing on their insights into internet traffic patterns.
The Chinese Embassy in Washington has not released any comments regarding the situation. Despite regular speculation about state-sponsored cyberattacks linked to China, the government has persistently denied involvement in such activities.
As of Tuesday, Microsoft had not provided further details on the patch’s effectiveness.
This vulnerability was initially highlighted during a hacking competition in Berlin organized by Trend Micro, where rewards were offered for discovering flaws in popular software. A significant $100,000 prize was put on the table for “zero-day” exploits associated with SharePoint, the prominent platform for document management and collaboration.
A researcher affiliated with Viettel, a telecommunications firm operated by Vietnam’s military, discovered a bug in SharePoint, referred to as ‘ToolShell’, and demonstrated how it could be exploited. The researcher earned the $100,000 reward for this finding, as noted by Trend Micro’s “Zero Day Initiative” on social media. However, a spokesperson for Trend Micro did not respond to inquiries regarding the competition this week.
Following this, on July 8, Microsoft announced that it had acknowledged the bug, classified it as critical, and distributed patches to resolve the issue.
Yet, only about ten days later, there was a noticeable surge in malicious online activities aimed at exploiting the same vulnerabilities in SharePoint servers. British cybersecurity firm Sophos noted that “threat actors subsequently developed exploits that seem to circumvent these patches.”
The range of potential targets tied to ToolShell remains extensive. Data from Shodan, a search engine for internet-connected devices, indicates that over 8,000 servers might already be at risk from hackers. Meanwhile, the Shadowserver Foundation, which monitors internet vulnerabilities, estimates this number at over 9,000, though they cautioned that this is likely a minimal figure.
The impacted servers span a variety of sectors, including major industrial corporations, financial institutions, auditing firms, healthcare companies, and both U.S. state and international government bodies.





