Microsoft SharePoint incident exposes key flaws in cyber resiliency

Even as enterprises and government agencies assess the impact of an attack targeting Microsoft Corp.'s on-premise SharePoint servers, experts say the incident exposed key vulnerabilities in private and public cyber resiliency.

Microsoft confirmed in the week of July 21 that it observed two cyberthreat actors — Linen Typhoon and Violet Typhoon — exploiting vulnerabilities targeting internet-facing on-premises Microsoft SharePoint servers. A third actor, Storm-2603, was also identified as a potential threat, with the latter deploying Warlock ransomware, according to a Microsoft threat intelligence report. While the scope of the attack is still being investigated, cybersecurity firm Eye Security said its scan of 23,000 SharePoint servers worldwide had found more than 400 systems actively compromised. Various federal agencies — including the Energy Department's National Nuclear Security Administration — are among those impacted.

The incident is a significant one for Microsoft and came roughly a year after a faulty software update from CrowdStrike Holdings Inc. caused 8.5 million Windows devices to crash. That incident and its repercussions — including delayed flights, payment outages and media disruptions — raised questions about the access Microsoft was giving outside vendors to its kernel, which provides visibility into the inner workings of the Microsoft operating system.

With two major incidents coming so closely together, the SharePoint attack will likely cause additional reputational damage, said New York University School of Professional Studies adjunct professor Nick Reese.

Reese pointed to the pace of patches the company has needed to push out in response to the breaches, as it looks to protect customers using different versions of its SharePoint server software.

"Targeting on-premise servers only was likely intentional in order to gain access to sensitive data that was deliberately not stored in the cloud," Reese said. "SharePoint offers an attractive target for those attempting to access intellectual property or large volumes of data not otherwise available."

Microsoft did not respond to a request for comment.

Preventing future attacks

Anurag Lal, CEO and President of NetSfere said the SharePoint vulnerability was significant because of how IT systems are integrated into the government agencies' operations.

Agencies that heavily rely on SharePoint for document repositories, intranet portals and workflow automation were likely to have experienced most of the impact of the outages, Lal added. The outages could also compromise access to historical or policy documents and delay key decisions, he said.

"When a core tool becomes unstable, it exposes single points of failure that can disrupt the agency's ability to execute its core mission," Lal said. "This incident also highlights a critical need: agencies must architect for disruption, not just uptime. When a single outage can paralyze collaboration, halt services and trigger emergency response protocols, it's clear that resilience can't be an afterthought. It must be built in."

The vast majority of agencies rely on Microsoft 365 cloud services without any built-in failsafe for email, leaving many government workers disconnected, said Pete Nicoletti, global chief information security officer at Check Point Software Technologies Ltd.

"These two events — a major outage and an active zero-day exploit — serve as a wake-up call," Nicoletti said. "They underscore the vulnerability of both cloud and [on-premise] environments when not paired with hardened identity, segmentation, end point protection and patch orchestration."

Consumer readiness

Marijus Briedis, chief technology officer at NordVPN, said the SharePoint attack could have implications for consumers, beyond agencies and enterprises. Briedis noted that cyberattacks on major employers, banks and healthcare providers often lead to data theft and password harvesting.

"For consumers, it reminds them why they can't rely on organizations to protect their data," Briedis said. "When they're compromised, your information becomes available to cybercriminals immediately."

Briedis said consumers should follow basic best practices, including using strong, unique passwords and enabling multi-factor authentication wherever possible.

"Assuming your data will eventually be breached is the only realistic approach," Briedis said.

Government response

As to the government's response, New York University's Reese noted that the SharePoint attack came roughly six months after the Trump administration dismissed all of the Department of Homeland Security's advisory committees, including the Cyber Safety Review Board. Established under former President Joe Biden, the board was tasked with reviewing and assessing significant cyber incidents to make concrete recommendations that would drive improvements within the private and public sectors.

When the Cyber Safety Review Board was disbanded in January, it was investigating the Salt Typhoon 2024 hack, which targeted telecom companies, including Verizon Communications Inc., AT&T Inc., T-Mobile US Inc., Spectrum Brands Holdings Inc., Lumen Technologies Inc., Consolidated Communications Holdings Inc. and Windstream.

In a statement emailed to S&P Global Market Intelligence, Marci McCarthy, director of public affairs at the Cybersecurity and Infrastructure Security Agency (CISA), noted that the board had always been "retrospective in nature and has never been involved in incident response."

With regard to the ongoing SharePoint incident, McCarthy added, "CISA quickly launched a national coordinated response through an initial alert and two cybersecurity updates. CISA has been working around the clock with Microsoft, impacted agencies and critical infrastructure partners to share actionable information, apply mitigation efforts, implement protective measures and assess preventative measures to shield from future attacks."