Chinese Cyber Espionage Groups Exploit SharePoint Vulnerabilities in Coordinated Attacks, Microsoft Warns

Microsoft has issued a new warning about a series of active cyberattacks targeting vulnerable SharePoint Server systems. These attacks have been formally linked to multiple Chinese state-sponsored threat actors, highlighting an urgent security risk to organizations still running unpatched, internet-facing SharePoint deployments.

The tech giant confirmed that three advanced persistent threat (APT) groups—Linen Typhoon, Violet Typhoon, and Storm-2603—have been exploiting previously identified vulnerabilities in SharePoint servers, using them as a stepping stone to gain unauthorized access to enterprise networks.

According to Microsoft, the malicious activity has been ongoing at least since July 7, 2025, and appears to be increasing in scope and sophistication. The company’s latest intelligence also aligns with earlier reports from other cybersecurity firms, reinforcing the seriousness of the campaign.

SharePoint Flaws Being Exploited

At the core of the attacks are vulnerabilities in on-premises SharePoint Server environments, including:

• CVE-2025-49706 – a spoofing vulnerability

• CVE-2025-49704 – a remote code execution (RCE) flaw

While Microsoft previously released patches for these issues, the threat actors have found workarounds that bypass the original fixes. These bypass methods have now been assigned new identifiers:

• CVE-2025-53771

• CVE-2025-53770

In real-world exploitation observed by Microsoft, attackers are targeting the SharePoint ToolPane endpoint using crafted POST requests. This method allows them to bypass authentication mechanisms and execute code remotely on the server. From there, attackers typically deploy a web shell—usually named spinstall0.aspx, spinstall1.aspx, or similar—giving them persistent backdoor access to the compromised environment.

This web shell provides access to sensitive server-side data, including MachineKey information, which can be used to facilitate lateral movement, further exploitation, or data theft.

Groups Behind the Exploitation

Linen Typhoon

Also known as APT27, Bronze Union, Lucky Mouse, or Emissary Panda, this group has been active since at least 2012. Known for their use of tools like SysUpdate, HyperBro, and PlugX, Linen Typhoon has a long history of conducting cyber espionage campaigns targeting both private and government-sector networks.

Violet Typhoon

Active since around 2015, Violet Typhoon is also known as APT31 or Zirconium. The group has previously conducted campaigns against countries including the United States, Finland, and Czechia. They are known for targeting sensitive geopolitical and technology-related sectors.

Storm-2603

A newer China-based actor, Storm-2603 is believed to have ties to the deployment of both Warlock and LockBit ransomware. While not as well-documented as the other two groups, Microsoft’s report suggests that Storm-2603 has become increasingly active in exploiting unpatched SharePoint vulnerabilities as part of its initial access strategy.

Deeper Technical Analysis Reveals Sophisticated Behavior

Cybersecurity researcher Rakesh Krishnan contributed additional insights into the tactics being used during forensic analysis of these attacks. In at least one case, investigators found that the exploitation process involved three different invocations of Microsoft Edge, including:

• Network Utility Process

• Crashpad Handler

• GPU Process

Each of these processes has a legitimate role in the Chromium browser architecture. However, the attackers are believed to have used them strategically to mimic typical system behavior and evade sandbox detection tools.

Even more alarming, the malicious web shell used by the attackers was found to communicate using Google’s Client Update Protocol (CUP). By doing so, the attackers are able to disguise their traffic as routine browser update checks, making it far more difficult for defenders to detect or block the communication.

Recommended Mitigations for Organizations

In response to the threats, Microsoft has published a set of urgent mitigation recommendations. Organizations using SharePoint Server Subscription Edition, SharePoint Server 2019, or SharePoint Server 2016 should take the following actions without delay:

1. Apply all recent SharePoint updates, including patches that address CVE-2025-53770 and CVE-2025-53771.

2. Rotate ASP.NET machine keys used by the SharePoint instance to prevent reuse by attackers.

3. Restart Internet Information Services (IIS) to ensure any exploited sessions are terminated.

4. Deploy endpoint detection and response (EDR) tools, such as Microsoft Defender for Endpoint, or equivalent.

5. Enable AMSI (Antimalware Scan Interface) and configure it to Full Mode for maximum threat visibility.

6. Ensure that Microsoft Defender Antivirus or an equivalent security solution is installed and up to date across all systems.

These steps are necessary to reduce exposure and eliminate persistence mechanisms that threat actors may have left behind on compromised servers.

History of Chinese Threat Activity Targeting Microsoft Products

This is not the first time Microsoft has publicly attributed large-scale cyber campaigns to Chinese state-sponsored groups. In March 2021, a group referred to as Silk Typhoon (formerly known as Hafnium) was linked to the mass exploitation of Microsoft Exchange Servers through a series of zero-day vulnerabilities. That attack, later dubbed ProxyLogon, impacted thousands of organizations globally and became one of the most significant cybersecurity incidents of that year.

Adding further context to China's cyber activities, earlier in July 2025, a 33-year-old Chinese national named Xu Zewei was arrested in Italy. He was charged with conducting cyber attacks against U.S. organizations and government agencies, specifically using the same Exchange Server vulnerabilities exploited during the ProxyLogon incident.

Outlook and Ongoing Threat

Microsoft’s assessment of the current situation is blunt: attackers will likely continue to exploit these SharePoint vulnerabilities, especially against unpatched on-premises systems. Organizations that have not yet applied the latest updates or taken other necessary security steps are at significant risk of compromise.

As SharePoint remains a widely used platform for internal collaboration, project management, and enterprise content hosting, it presents a highly attractive target for espionage-focused actors. The use of sophisticated tools and techniques—such as encrypted communication, process mimicry, and web shell obfuscation—demonstrates a high level of planning and technical skill.

Security teams must treat this campaign as active and ongoing. The window for easy exploitation remains open for any organization lagging behind on updates or operating without modern security monitoring.

Final Thoughts on Securing SharePoint Environments

This recent campaign highlights a broader trend in cybersecurity: attackers are quick to adapt, reuse, and evolve their methods, especially when targeting widely deployed enterprise platforms like SharePoint. Once a vulnerability becomes public—especially one involving authentication bypass or remote code execution—threat actors begin incorporating it into their playbooks almost immediately.

As always, staying protected is not about reacting to the breach after it happens, but about preventing it altogether. Keeping your infrastructure updated, actively monitoring systems, and deploying layered security controls can significantly reduce your exposure to these sophisticated threats.

For organizations that rely on SharePoint for day-to-day operations, now is the time to act. Apply the latest patches, confirm your security configurations, and work with your IT and cybersecurity teams to close any remaining gaps.

Cybersecurity is not a one-time fix—it’s a continuous process of awareness, assessment, and action.