A new, large-scale cyberattack is actively targeting Microsoft SharePoint servers—and it’s not just another headline. This time, the incident could affect tens of thousands of organizations across government, education, and energy sectors worldwide.First detected on July 18, the attack has already compromised servers, with two waves of intrusion reported in under 24 hours. What makes this breach so serious? It’s not happening in Microsoft’s cloud—only on on-premises SharePoint installations, many of which are still widely used by organizations with sensitive data.
What Happened?
The attack was first flagged by Netherlands-based cybersecurity firm Eye Security, which observed a zero-day vulnerability—a previously unknown exploit in SharePoint software. This vulnerability allows threat actors to:
- Steal digital keys without login credentials
- Plant malware remotely
- Access internal files and sensitive data
- Move laterally across connected apps like Teams and Outlook
Because SharePoint often acts as the hub for organizational collaboration, a single breach here can ripple through an entire network—leading to data theft, password compromise, and full-scale infrastructure infiltration.
Who’s at Risk?
According to security researchers and reports from The Washington Post, this cyberattack has already affected:
- U.S. federal agencies
- Universities and public schools
- Energy and commercial enterprises
The Cybersecurity and Infrastructure Security Agency (CISA) and FBI are currently investigating. While the full scope isn’t known yet, analysts say thousands of SharePoint servers are likely vulnerable or already breached.
“Anybody who’s got a hosted SharePoint server has got a problem.” — Adam Meyers, CrowdStrike
What Is Microsoft Doing About It?
Microsoft confirmed the attack on July 19 and quickly released emergency patches for:
- SharePoint Subscription Edition
- SharePoint Server 2019
Additional patches for SharePoint 2016 and other supported 2019 versions are still in development. The company also published a detailed security guidance blog post outlining remediation steps.
What Should You Do If You Use SharePoint On-Prem?
If your organization runs a local SharePoint server (i.e., not through Microsoft 365), experts suggest you should assume a breach has already occurred.
Here’s what Microsoft and security professionals recommend:
- Update Immediately: Apply all July 2025 security patches.
- Verify Antivirus Protection: Ensure AMSI is on and connected to Defender Antivirus or another solution.
- Use Endpoint Detection: Enable Microsoft Defender for Endpoint or a similar EDR solution.
- Rotate Keys: Update your SharePoint ASP.NET machine keys.
- Audit Your Logs: Monitor for abnormal access or lateral movement.
Why This Matters (Beyond Just Microsoft)
This incident underscores a broader issue: on-premises enterprise tools are increasingly targeted by advanced cyberattacks—especially when connected to broader cloud-based systems like Microsoft 365. Zero-day vulnerabilities give attackers a head start, often before patches even exist.
This attack follows a pattern. Just last year, Microsoft faced breaches involving Russian-backed hackers and Chinese espionage. These are no longer isolated events—they reflect a shift toward attacking foundational IT infrastructure.
Takeaway: Time to Rethink On-Prem Security?
If your organization still relies on on-prem SharePoint, it might be time to consider cloud migration. Microsoft has shown more agility in securing its cloud-based services, and the urgency to modernize has never been clearer.
What are you doing to protect your digital infrastructure from zero-day exploits?
Share your thoughts in the comments—or let us know if you’re planning a shift to the cloud.
