Stay connected with BizTech Community—follow us on Instagram and Facebook for the latest news and reviews delivered straight to you.
Microsoft has issued a critical security alert for organizations running on-premises versions of SharePoint, warning of active zero-day cyberattacks that allow malicious actors to bypass security measures and infiltrate sensitive internal systems.
The company’s advisory, released Saturday, urges all affected users to immediately apply security updates to prevent further exploitation. The cloud-based SharePoint Online, part of Microsoft 365, is not impacted.
Vulnerability Enables Spoofing and Identity Attacks
The flaw allows authenticated attackers to launch spoofing attacks across organizational networks, impersonating trusted users or systems. This can lead to unauthorized access, data exfiltration, and manipulation of communications, Microsoft said. “Attackers are bypassing identity controls, including MFA and SSO, to gain privileged access,” said Michael Sikorski, CTO at Palo Alto Networks’ Unit 42. “Once inside, they’re exfiltrating sensitive data, deploying persistent backdoors, and stealing cryptographic keys.”
The attacks exploit SharePoint’s deep integration across Microsoft’s ecosystem — including Office, Outlook, Teams, and OneDrive — making the breach potentially far-reaching.
Government and Enterprise Targets Affected
The Washington Post reported that the breach has affected U.S. and international government agencies, hospitals, schools, and major enterprises. The FBI confirmed it is investigating and coordinating with federal and private sector partners but declined to release further details.
The threat’s classification as a zero-day vulnerability means the exploit was unknown to both Microsoft and cybersecurity researchers before being discovered in active use.
Microsoft’s Response and Recommendations
Microsoft has already released a patch for SharePoint Subscription Edition and is working on updates for SharePoint 2016 and 2019. For organizations unable to apply immediate fixes, the company strongly recommends disconnecting affected servers from the internet. “A compromise doesn’t stay contained—it opens the door to the entire network,” Sikorski emphasized.
Microsoft has not yet provided a timeline for additional patches but is actively working with partners to mitigate the threat. Palo Alto Networks is also helping notify impacted customers and deliver updated threat intelligence.
What Organizations Should Do Now
- Apply Microsoft’s latest security updates if using SharePoint Subscription Edition
- Disconnect vulnerable on-prem SharePoint servers from external networks if patching isn’t possible
- Conduct full security reviews of any connected systems, including Office, Teams, Outlook, and OneDrive
- Monitor for unusual activity, especially around identity access and privileged accounts
