A critical security vulnerability in Microsoft’s SharePoint servers has triggered a rapidly expanding wave of cyberattacks, with the number of compromised organizations surging more than sixfold in just a few days, according to Dutch cybersecurity firm Eye Security.
Initially estimated at around 60 victims, the tally has now climbed to over 400 organizations worldwide, including government agencies, corporations, universities, and other institutions. Eye Security, which first identified the breach last week, warns that the actual number of affected entities could be significantly higher due to the stealthy nature of the exploit.
The majority of confirmed victims are based in the United States, followed by Mauritius, Jordan, South Africa, and the Netherlands. In South Africa, Eye Security confirmed breaches at a car manufacturing firm, a university, several local government bodies, and a federal government agency. Two additional organizations were also affected, with details shared with the country’s Computer Security Incident Response Team (CSIRT).
South Africa’s National Treasury acknowledged the presence of malware on its Infrastructure Reporting Model website and has sought assistance from Microsoft. However, it emphasized that its systems remain operational. The South African Reserve Bank confirmed that its systems were not compromised.
In the U.S., the breach has impacted several high-profile institutions, including the National Nuclear Security Administration (NNSA)—the agency responsible for the country’s nuclear arsenal—and the National Institutes of Health (NIH). A spokesperson for the Department of Health and Human Services stated that while the department is actively monitoring the situation, there is currently no evidence of data breaches.
The U.S. Education Department, Florida’s Department of Revenue, and the Rhode Island General Assembly were also reportedly affected.
Microsoft has attributed the attacks to Chinese state-sponsored hacking groups, including Linen Typhoon, Violet Typhoon, and Storm-2603. These groups are known for espionage operations targeting government, defense, and civil society organizations. Microsoft noted that the attackers exploited the SharePoint vulnerability to steal authentication keys, allowing them to impersonate users and gain deep access to internal systems.
The Chinese Foreign Ministry responded by denying involvement, stating that China opposes hacking and supports international cooperation on cybersecurity. However, cybersecurity experts suggest that proxy groups or private contractors may be executing the attacks on behalf of the Chinese state.
According to Eye Security, the vulnerability is being exploited in waves. Initially used in targeted, covert attacks, the flaw is now being leveraged more broadly by opportunistic threat actors.
This is still developing, and other adversaries continue to exploit vulnerable servers. The real number of victims might be much higher, as many compromises leave no immediate trace.
Vaisha Bernard, Co-owner of Eye Security
Sveva Scenarelli, a threat analyst at Recorded Future, explained that once attackers gain access, they often prioritize high-value targets, establish persistence, and exfiltrate sensitive data over time.
Microsoft has issued security patches to address the SharePoint vulnerability, but experts caution that many systems may have already been compromised before the fixes were applied. The company has faced criticism for previous lapses, including a 2023 breach that exposed senior U.S. officials’ emails, prompting a government review that cited a “cascade of security failures.”
The breach comes amid heightened tensions between the U.S. and China over cybersecurity and trade. U.S. Treasury Secretary Scott Bessent, who is scheduled to meet Chinese officials in Stockholm next week, confirmed that the SharePoint attacks will be on the agenda.
Obviously, things like that will be on the agenda with my Chinese counterparts.
Scott Bessent, U.S. Treasury Secretary
What’s at Stake
While classified networks like those at the NNSA are typically air-gapped and isolated from the internet, experts warn that sensitive but unclassified data—such as information on nuclear materials—could still be at risk. “There are categories of information that may be treated with less care and might have been exposed,” said Edwin Lyman, Director of Nuclear Power Safety at the Union of Concerned Scientists.