Microsoft Attributes SharePoint Server Attacks to Chinese Hackers
July 23, 2025 — Microsoft has announced that a sophisticated cyberattack targeting its SharePoint server infrastructure has been traced to a state-sponsored hacking group operating out of China. The company revealed the findings in a recent threat intelligence report, underscoring growing concerns over state-backed cyber activity aimed at critical enterprise systems.
According to Microsoft, the attackers exploited a previously unknown vulnerability in SharePoint, allowing them to gain unauthorized access to sensitive information on targeted networks. The campaign is believed to have been active for several months before detection.
The hacking group, identified by Microsoft as part of the broader “Storm” threat actor network, reportedly focused on government agencies, defense contractors, and high-tech firms. While Microsoft did not publicly name a specific group, security experts say the techniques and infrastructure used align with known operations of APT (Advanced Persistent Threat) groups with ties to Beijing.
“We have high confidence that this campaign was carried out by a China-based threat actor with a history of targeting enterprise collaboration tools,” Microsoft said in its advisory. “This operation demonstrates a continued focus on data exfiltration and long-term access to strategic information.”
The company has released patches and mitigation guidelines for affected organizations and urged all customers to apply the updates immediately. Microsoft is also working closely with U.S. cybersecurity agencies and international partners to assess the full scope of the breach.
The Chinese government has routinely denied involvement in cyber-espionage campaigns. In response to Microsoft’s report, a spokesperson for China’s Ministry of Foreign Affairs stated, “China firmly opposes all forms of cyberattacks and maintains that any accusations must be based on clear evidence.”
Cybersecurity analysts warn that this latest incident reflects a broader trend of targeting widely used enterprise platforms like SharePoint, which are often deployed across sensitive sectors but can be difficult to secure comprehensively.
“This attack underscores the importance of proactive threat monitoring and rapid vulnerability management,” said Laura Kim, a senior analyst at Mandiant. “State-aligned actors are constantly evolving their tactics to exploit even niche software exposures.”
Microsoft has committed to continuing its investigation and sharing further technical details with industry partners to bolster collective defense efforts.
