metamorworks - stock.adobe.com
Microsoft confirms China link to SharePoint hacks
Microsoft confirms two known China-nexus threat actors, and one other suspected state-backed hacking group, are exploiting vulnerabilities in SharePoint Server.
Microsoft has revealed that Chinese state threat actors are actively targeting and exploiting a highly-dangerous new zero-day vulnerability in SharePoint Server, confirming earlier reports from Google Cloud’s Mandiant and others.
In a newly-published update, Microsoft said that two named threat actors – Linen Typhoon and Violet Typhoon – were targeting internet-facing SharePoint instances. Additionally, it said, an actor currently tracked as Storm-2603 is also working on exploits. Redmond said it is also investigating other actors using the exploits, and anticipates that they will be rapidly integrated into further downstream attacks.
"As noted in our blog this morning, Microsoft has released new comprehensive security updates for all supported versions of SharePoint Server, Subscription Edition, 2019, and 2016, that protect customers against these vulnerabilities,” a Microsoft spokesperson told Computer Weekly.
“In addition, we also have released hunting and mitigation guidance to customers via the 19 July MSRC blog as well as today's MSTIC blog. Our guidance to customers is that they apply these updates immediately to ensure they are protected. We have now provided updates for all the known vulnerabilities.”
The vulnerabilities in scope, CVE-2025-53770 and CVE-2025-53771, bypass previously disclosed flaws tracked as CVE-2025-49704 and CVE-2025-49706. The first and most serious of the two enables full remote code execution (RCE) and affects all supported versions of SharePoint Server.
Microsoft said that based on known tactics, techniques and procedures (TTPs) employed by Linen Typhoon, Violet Typhoon, and Storm-2603, it had been able to identify attempted exploits against CVE-2025-49704 and CVE-2025-40706 on or around 7 July 2025.
Typhoon blowing in
Microsoft’s threat actor naming taxonomy, which was updated in 2023 classes distinct threat actors by meteorological events to make it easier for customers and researchers to recognise threats and understand what they might be dealing with.
Under this system, Blizzard refers to Russian threat actors, Sandstorm to Iranian ones, Sleet to North Korea, and Typhoon to China. Tempest is used to classify financially-motivated gangs like ransomware actors, and Storm refers in this instance to ‘groups in development’.
In this case, Linen Typhoon and Violet Typhoon refer to two distinct clusters of China-nexus threat activity.
Linen Typhoon has been active since about 2012 and is generally focused on stealing intellectual property from its victims – this has long been a key objective of China’s cyber espionage tasking. Its hackers primarily target organisations liked to government, defence, strategic planning and human rights. It favours primarily ‘drive-by’ compromise and often relies on existing, unpatched exploits to infiltrate its victims.
Violet Typhoon has been active since 2015 and focuses on more pureplay espionage activity, targeting ex-government and military personnel, non-governmental organisations (NGOs), think-tanks, higher education institutions, media, financial, and healthcare organisations. Its victims tend to be concentrated in East Asia, Europe and North America. Its modus operandi is to scan for vulnerabilities in exposed web infrastructure and exploit the weaknesses it discovers to install web shells.
Meanwhile, Storm-2603 is suspected to be a Chinese threat actor as links between it and other APTs have not been firmed up just yet. Microsoft is tracking it in association with attempts to steal machine keys via the SharePoint vulnerabilities. Interestingly, Storm-20603 has been observed acting as a ransomware affiliate for, among others, LockBit, but Microsoft’s analysts say they cannot yet assess its true objectives with much confidence.
The Microsoft research team stressed that additional actors will likely use the SharePoint exploits to target unpatched, on-premise systems, emphasising the need for users to take proactive steps immediately.
Read more on the SharePoint incident
- Computer Weekly: The active exploitation of a dangerous zero-day vulnerability chain in Microsoft SharePoint – which was disclosed over the weekend – is underway. Immediate action is advised.
- Exploitation of the ToolShell RCE zero-day in Microsoft SharePoint continues to gather pace, with evidence emerging of exploitation by nation state-backed threat actors.
- Search Content Management: Thousands of organisations, including government agencies, running SharePoint on-premise are vulnerable after Microsoft issued a security alert warning of active attacks.
- Cybersecurity Dive: Microsoft, CISA warn of cyber attacks targeting on-premises SharePoint servers.
- DarkReading: Microsoft rushes emergency patch for actively exploited SharePoint ToolShell bug.
Read more on Hackers and cybercrime prevention
-
![]()
Chinese cyber spies among those linked to SharePoint attacks
By: Alex Scroxton
-
![]()
Treasury Department hacked: Explaining how it happened
By: Sean Kerner
-
![]()
Salt Typhoon compromises telecom providers' Cisco devices
By: Alexander Culafi
-
![]()
Mandiant: Latest Ivanti vulns exploited by Chinese cyber spooks
By: Alex Scroxton
