Victim Profiles in Microsoft SharePoint Attacks Point to Targeted Intelligence Campaign, Researchers Say

Aug 01, 2025 - 10:03

Updated: 10 months ago

Victim Profiles in Microsoft SharePoint Attacks Point to Targeted Intelligence Campaign, Researchers Say

Eye Security, a Netherlands-based cybersecurity company that has been tracking Microsoft SharePoint attack victims, says an analysis of victims shows that nearly a third were government sector systems.

“From the data, it’s clear this wasn’t a random or opportunistic campaign. The attackers knew exactly what they were looking for,” Lodi Hensen, Eye Security vice president of security operations, said on July 29 in a blog post.

Microsoft identified two Chinese state-sponsored groups and a separate China-based group among the perpetrators.

Multiple U.S. agencies have confirmed they were subject to the mass exploit, including the National Nuclear Security Administration and the National Institutes of Health.

Out of 396 compromised systems confirmed by Eye Security’s scan of more than 27,000 SharePoint systems in the first week of the breach, education sector systems accounted for 13 percent of the victims, second after government targets.

Eye Security said this strongly suggested an intelligence-led operation. In its initial overview of the cyberattacks, the security company noted this was a “stealthy” operation aimed at extracting and leaking encrypted secrets, and enabled complete remote access.

The majority of the successful attacks were against systems in the United States, which accounted for 18 percent of the victims. The East African country of Mauritius, which was recently awarded sovereignty over the Chagos Islands, where a strategically important U.S.–UK airbase sits, accounted for 8 percent of the compromised systems. Germany accounted for 7 percent of confirmed infections and France 5 percent. Eye Security noted that while only two organizations in Jordan were compromised, those systems experienced “an unusually high volume of attacks.”

Besides government and education, software as a service (SaaS) providers, telecom providers, and power grids were targets of focused efforts.

“These sectors are known to hold high-value data and serve as intelligence-rich entry points into broader networks,” Eye Security stated in its blog post.

Multiple Waves of Attacks

Eye Security was the first to detect the mass exploitation of the SharePoint vulnerability on July 18.

The exploit, which was first confirmed during the Pwn2Own Berlin hacking competition in February, was originally a “zero-day” exploit, meaning a cyberattack aimed at a previously unknown software vulnerability that vendors had had zero days to patch.

Microsoft had on July 8 patched that exploit shared in the Berlin conference. The original exploit was then replicated and shared on social media platform X by a third party just days before the mass attacks began.

In a July 29 update, Eye Security counted more than 8,000 unpatched systems remaining exposed online.

Eye Security confirmed that an initial wave of attacks happened on July 17 as a possible test phase, and the first wave of widely successful attacks was carried out around 6 p.m. UTC on July 18. A second wave followed the next morning, and multiple waves followed beginning July 21.

Microsoft disclosed in a July 19 alert to customers that a SharePoint vulnerability was being exploited, giving guidance on how to prevent these cyberattacks. Notably, the exploit affected on-premise SharePoint servers that are set to reach the end of their service cycle next year. The enterprise SharePoint Online versions were not affected.

The researchers said infections continued to rise even after Microsoft released subsequent patches, suggesting that infected and patched systems are still vulnerable.

“A patch alone doesn’t eliminate an attacker who’s already inside. The delay between exploitation and remediation can be devastating—especially for mid-sized organisations without round-the-clock threat detection,” Hensen said in the blog.

Subsequent waves of attacks also broadened in targets, suggesting new attackers beyond the initial Chinese state-sponsored intelligence operation.

“In incidents like these, it’s not uncommon to see a rapid shift: once an exploit becomes public and technical details begin to circulate, other state and non-state actors tend to follow. That includes cybercriminal groups with very different motives, especially those focused on financial gain,” Hensen said in the Eye Security blog.

Hensen told The Epoch Times via email that once the exploit was made public, they observed “signs of opportunistic activity by less‑sophisticated actors.”

“We observed increased mass scanning, more automated exploitation attempts, and a shift from mainly government targets to include mid‑sized businesses,” Hensen said.

Intelligence operations often hit big organizations first, and mid-sized organizations may be exposed in subsequent waves, said the researchers, who expect the exploit to be abused in the following weeks before organizations have patched and followed best practices to secure their systems, like rotating machine keys.

“Patching alone is not enough. We advise running full forensic investigations, reviewing and resetting credentials, monitoring for indicators of compromise, and preserving evidence for investigation,” Hensen said.