A sophisticated cyber espionage campaign exploiting a previously unknown vulnerability in Microsoft’s self-hosted SharePoint servers has impacted approximately 100 organizations worldwide, cybersecurity experts revealed on July 21, 2025. The attack, identified as a “zero-day” exploit, has raised alarms about potential backdoors that could grant hackers ongoing access to sensitive systems.

Scope of the Attack

Microsoft issued an alert on July 19, confirming “active attacks” targeting SharePoint servers, widely used for document sharing and collaboration within organizations. The breach, discovered by Netherlands-based Eye Security on July 18, affects self-hosted servers, leaving cloud-based SharePoint instances untouched. A joint internet scan by Eye Security and the Shadowserver Foundation identified nearly 100 victims, primarily in the United States and Germany, including government entities, industrial firms, banks, auditors, and healthcare organizations.

Vaisha Bernard, chief hacker at Eye Security, described the findings as “unambiguous,” warning that the number of compromised systems could grow as the exploit becomes more widely known. The Shadowserver Foundation corroborated the figure, noting that national authorities have been informed, though specific victim identities remain undisclosed.

Nature of the Exploit

The zero-day vulnerability allows hackers to infiltrate vulnerable servers, potentially installing backdoors for persistent access. Rafe Pilling, director of Threat Intelligence at Sophos, suggested the attack appears to be the work of a single hacker or group, though he cautioned that this could change rapidly. Daniel Card of PwnDefend, a British cybersecurity consultancy, highlighted the “broad level of compromise” across global servers, noting that over 8,000 servers indexed by Shodan could be at risk.

Response and Recommendations

Microsoft has released security updates and urged customers to apply them promptly. However, experts emphasize that patching alone is insufficient. “Taking an assumed breach approach is critical,” Card advised, urging organizations to enhance monitoring and conduct thorough investigations to detect lingering threats. The FBI, aware of the attacks, is collaborating with federal and private-sector partners, while the UK’s National Cyber Security Centre reported a “limited number” of UK targets.

Ongoing Concerns

The campaign’s origins remain unclear, with early indications pointing to a targeted focus on government-related organizations. The vast pool of vulnerable servers underscores the urgency of robust cybersecurity measures. As Bernard noted, “Who knows what other adversaries have done since to place other backdoors?” The incident highlights the growing sophistication of cyber threats and the need for organizations to prioritize proactive defense strategies to safeguard critical systems.