A widespread cyberattack exploiting a vulnerability in Microsoft’s SharePoint servers has compromised several organizations in South Africa, according to Eye Security, a Dutch cybersecurity firm that first detected the breach last week.
The attack is part of a broader global campaign that has affected approximately 400 entities, including government agencies, corporations, and other institutions. While the confirmed number is significant, Eye Security warns that the actual figure could be much higher.
Eye Security reports that the majority of victims are located in the United States, followed by Mauritius, Jordan, South Africa, and the Netherlands. In South Africa, the compromised organizations span multiple sectors, including:
- A car manufacturing company
- A university
- Several local government entities
- A federal government department
Two additional organizations have also been impacted, though their identities remain undisclosed. Details of the breach have been shared with South Africa’s Computer Security Incident Response Team (CSIRT) for further investigation and mitigation.
In a statement issued on Wednesday, South Africa’s National Treasury confirmed the detection of malware on its Infrastructure Reporting Model website. The department is now working with Microsoft to assess and resolve the issue.
“Despite these events, NT’s systems and websites continue to operate normally without any disruption,” the Treasury said. Meanwhile, the South African Reserve Bank (SARB) responded to inquiries by stating that none of its systems have been breached.
Microsoft’s SharePoint is widely used across South African institutions for document storage, collaboration, and internal communications. Many organizations host SharePoint on-premises, believing it offers greater control and security. However, Microsoft has warned that on-premise deployments are particularly vulnerable to this latest wave of attacks.
The company confirmed that attackers are specifically targeting clients who manage their own SharePoint servers, rather than those using Microsoft’s cloud-hosted solutions.
Cybersecurity experts are urging organizations to patch their systems immediately, review access logs, and strengthen internal security protocols. The incident highlights the growing risks associated with self-hosted enterprise software and the importance of proactive cybersecurity measures.
As investigations continue, South African authorities and affected entities are working to contain the breach and prevent further exploitation.