Global hack on Microsoft Sharepoint hits U.S., state agencies, researchers say
151 comments
·July 20, 2025poemxo
We need more Red Hat and less Microsoft in the on-prem enterprise business. These exploitable vulnerabilities are unacceptable when your customers are the likes of DoD.
No one considers Google anything less than an impenetrable fortress, but when it's some government entity responsible for keeping American lives safe it's like "ah yeah they probably have a vulnerable on-prem Sharepoint that could easily be pwned."
So why is this? Why do Microsoft products enjoy a monopoly on the server in these sectors when more secure (Linux-based) options are far cheaper and widely deployed already? Isn't security the number one priority in those spaces?
charles_f
> CISA advises vulnerable organizations [...] to disconnect affected products from the public-facing Internet until an official patch is available.
It's interesting to me that you'd go the hassle of hosting your own SharePoint on prem, but leave it internet facing. I would have assumed a the Venn diagram of these organizations to be entirely contained in orgs forcing you to use a VPN.
jauntywundrkind
Oh CISA...
What a pity that CISA has been purged down of effective useful people and turned into another sad selected-for-political-compliance-only force.
Arizona recently got attacked from Iranian hackers & didn't even bother trying to get help from CISA. https://archive.is/2025.07.19-143305/https://www.azcentral.c...
CISA is so so vital. Investigating incredibly wide ranging attacks like this, or the Salt Typhoon attack are vital for this nation. But the show is being run by a bunch of people who value political dogma far above anything else. https://www.techdirt.com/tag/cisa/
Arainach
Best practice is to assume the network is compromised - a VPN doesn't provide as much guarantee as people would like. In large fleets, devices are regularly lost, damaged, retired, etc. In organizations with high target value, physical penetration through any number of means should be assumed.
So you don't do that. You use zero trust and don't care that things are exposed to the internet.
Working from anywhere (remote sites, home, your phone) is a huge benefit. Organizations want to control their data entirely while still wanting their organization to be able to access it.
this_steve_j
Microsoft’s version of “Zero Trust” doesn’t care if things are reachable from the public internet. They have been preaching “identity is the new perimeter” [1] for years, and it doesn’t wash.
The NIST Zero Trust Architecture (ZTA) implementation guides (SP 1800-35) [2] cut through the nonsense and AI generated marketing smoke.
In ZTA, ALL network locations are untrusted. Network connections are created by a Policy Engine that creates and tears down tunnels to each resource dynamically using attribute-based-access-controls (ABAC). Per request.
Microsoft doesn’t have any products that can do full ZTA, so several pillars are missing from their “Zero Trust” marketing materials.
[1] https://www.microsoft.com/insidetrack/blog/securing-the-bord...
anonymars
Maybe I'm missing something but doesn't this very story cut your assertion off at the knees?
With a VPN the attack surface of this vulnerability would have been miniscule compared to a publicly accessible zero-day RCE
(And it's not like you have to allow carte-blanche access behind the wall)
Defense in depth!
zamadatix
In zero trust "exposed to the internet" is a bit of a misnomer compared to how traditional security would use the term. A better description might be "you're allowed to form a session to it from over the internet but only after your identity and set of rights have been verified". From this view: "zero trust" < "vpn" < "wide open" (in terms of exposure).
michaelt
Arainach is advocating for something called "Zero Trust" which, from a user's perspective, is very much like a VPN.
It's software your employer pre-installs on your work PC, that asks you to log in with your work SSO credentials, performs some endpoint security checks, then routes your traffic over a virtual network adapter, and thereby allows you to access workplace resources, even when working from home.
The main difference is it adds some semi-authenticated states. Correct device, username, password, and 2FA, but failed a device posture check because they plugged their phone into their laptop to charge it? The 'Zero Trust' system can block some systems, while letting them retain access to others.
The other big difference is the pricing - rather than paying a five-figure sum upfront for networking hardware, you instead pay $25 per employee per month, forever.
p_ing
Hosting internal services be they SharePoint or Exchange behind a [pre-auth] reverse proxy isn't that unusual.
cptskippy
> It's interesting to me that you'd go the hassle of hosting your own SharePoint on prem, but leave it internet facing.
Once upon a time Microsoft marketed it as, and a lot of Orgs adopted SharePoint as their Intranet. With SharePoint 2019 being sunset, a lot of Orgs are scrambling to implement replacements.
vultour
How did Principal Engineer Copilot not prevent this?!
dylan604
This vuln might have existed before Copilot received that title bump. It could have been introduced while Copilot was just an intern
amelius
Because the hackers used Copilot too, and one side has to win ... (?)
ThinkBeat
I have spent far too much of my life on SharePoint. Having it internet facing has never been a good idea. Not really what it is meant for, though the promo verbiage on that has changed over different versions.
Some folks wanted SharePoint as their "web server", I would set that installation up entirely separted from all other instances they may have on the network.
miffy900
Actually it wasn't too long ago, in the early-2010's, that Microsoft was promoting SharePoint for internet sites; I think at one point some Europoean car manufacturer (BMW? Ferrari?) had their global marketing site on SharePoint. Of course that didn't last long, as Microsoft licensed it at a crazy price ($40k per site or something like that).
010101010101
I worked on a couple of public facing SharePoint 2010 sites for large, well known companies before while it was in RC and immediately after - MS had a big marketing push to get people to build more than Intranet portals on it at the time. It seems like that died off entirely once Office 365 came around, and it was never a good idea in the first place, but it was definitely a thing.
frollogaston
I've only interacted with SharePoint briefly one time years ago, thought public web hosting was the entire purpose.
bodhi_mind
My real-time security alert feed picked this up before the major news outlets:
dotty-
that's cool, do you support an RSS feed?
bodhi_mind
Not yet, but I’m planning to roll one out later this week! Are you in cybersecurity or just tracking vulnerabilities for fun/work?
pyuser583
I've heard many Pentagon employees claim that if someone wanted to take out the US military, all they'd have to do is kill Sharepoint.
It's the go-to warm-up joke whenever someone in the military gives a speech.
firesteelrain
We had a lot of SharePoint back in the day
shrubble
Wasn’t Microsoft just recently using Chinese people living in China to administer DOD servers? I would guess they use Sharepoint inside the DOD?
p_ing
There is a DoD version of M365 which has SPO, but that isn't what the article is discussing.
theteapot
Says this in the article:
> A programming flaw in its cloud services also allowed China-backed hackers to steal email from federal officials. On Friday, Microsoft said it would stop using China-based engineers to support Defense Department cloud-computing programs after a report by investigative outlet ProPublica revealed the practice, prompting Defense Secretary Pete Hegseth to order a review of Pentagon cloud deals.
sega_sai
It is instructive that we are seeing the results of DOGE's work:
"The process took six hours Saturday night — much longer than it otherwise would have, because the threat-intelligence and incident-response teams have been cut by 65 percent as CISA slashed funding, Rose said."
ToucanLoucan
I'm not sure which part pisses me off more: that tons of professionals lost their jobs and will likely not work in public service again because of it, or that through all that, they barely found any actual waste at all. A fucking farce.
azemetre
You're assuming their purpose was to find waste, it was not. Their purpose was to be the Chicago boys in DC.
caconym_
Seems like generally it ended up being a surveillance play, in practice if not original intent. For example, Dog coin has been reported to be passing data taken from other agencies directly to ICE^[1] for law enforcement applications, and there was that other matter of logins apparently from Russia using accounts the Dog coin personnel demanded agencies create on their internal systems with (auditable) logging disabled^[2]. And probably more that I'm forgetting.
One does wonder whether this was all part of Musk's vision, or more thanks to the scum he hired to staff Dog coin and/or other lawless opportunists in the Trump administration.
[1] https://www.washingtonpost.com/immigration/2025/04/16/medica...
[2] https://www.reuters.com/technology/cybersecurity/whistleblow...
righthand
The first obvious sign was that the people not holding office or having any access to government data were making unfounded claims about how the government was operating.
vkou
The move obvious sign is that people making that claim have a proven track record of being compulsive liars.
That anyone gives a word they say the time of day is actually crazy.
tempnew
How about the fact that Elon and most of his cronies weren’t even born here and seem to feel that the people who were born here are stupid and/or lazy. Maybe only Vivek said that quiet part out loud, but they very much agreed on the solution.
to11mtm
This is what happens when Chesterton's fence is ignored...
tough
not just ignored but purposefully burnt down
nine_zeros
I'll tell you what pisses me off: Having to be subjected to low security services because one political party wants to run a reality TV show instead of caring for people. The consequences are all for us to bear.
tombert
At the risk of massive downvotes, I have to admit that a small part of me wants this so that maybe corporations stop using Sharepoint as soon as possible.
Seriously, I haven't used it since 2017, but every time I used it then it was the worst part of my day. I used to have a shirt that said SHarepoIT Happens that I would wear to work, and it seemed like the one thing I could get my coworkers agree on was that Sharepoint is terrible and we'd rather use anything else.
kuhsaft
It’s impossible to stop using M365 while stopping usage of SharePoint (cloud or on-premises). See https://news.ycombinator.com/item?id=44640219
Here’s just one example:
Each M365 Teams Team creates an M365 Group which creates a SharePoint site and Exchange mailbox. Teams channel files are stored in that SharePoint site. Teams channel messages are stored in the Exchange mailbox.
Private files dropped in Teams are stored in OneDrive (rebranded SharePoint). Private Teams messages are stored in the sender and recipients’ Exchange mailboxes.
M365 is SharePoint and Exchange. EVERYTHING is built on top.
EDIT: changed ‘individual’ to ‘sender and recipients’
mschuster91
> Private Teams messages are stored in individual Exchange mailboxes.
Good lord. It truly is a layer of dung layered upon more layers of dung.
tacker2000
To be fair exchange works quite well for mail and calendar, it syncs very fast, is easy to set up and the cloud version is easy to administer (i never had to admin an on-prem exchange but ive heard its not fun).
Using this infra for teams makes sense since it already works well. As one poster said, its probably via some hidden folder.
I wonder what they did with skype, did they actually integrate any of it into teams or just dump it entirely?
bilekas
I know it's popular to dump on Microsoft and there are some valid reasons, this is not one of them.
There are so many companies and businesses that rely on offline data, or silo'd data than will be tied through their AD LDAP account permission, M365, teams included, is such a better option than hand rolling all of them and praying you configured every service correctly.
anonymars
I don't think this is nearly as crazy as you may think at first glance
Imagine if it was just a hidden (special) folder in an Exchange mailbox.
Voila, you already have a well-known and widely implemented and tested message syncing solution both for content and status (read/unread)
I assume Windows Phone worked the same way with its text message backup. When you'd set up a new phone it would take a while for your Microsoft account to finish syncing during which new messages would trickle into the Messaging app in real time. In fact if your old phone was still on WiFi new messages would show up on both. Still more advanced 15(?!) years ago than my Android today
eitland
At some point Microsoft tried to sell some automatic DRM system based on SharePoint to some company that I worked for.
The sales pitch was that they could upload documents to SharePoint and when people downloaded the documents SharePoint would automatically apply DRM so the documents could only be opened by that person on authorised machines for a specified number of days.
Well, it turned out depending on how you logged in (using the same account, just different login forms) on the SharePoint server it would either give you the files with DRM applied - or the completely unrestricted files.
We got some senior Microsoft consultant working directly for Microsoft to look at it but in the end they were just as confused as us.
rs186
My company has SharePoint and another internal site for documents/notes (think about Notion/Quip/Confluence). The other site works quite well, and most developers write all their notes/docs on it. But some people just insist on uploading Word documents to SharePoint. So now everybody else has to use SharePoint as well, plus search twice whenever they need to find something.
neuroelectron
My boss spent over a year trying to get me to setup Sharepoint. About 6 months into this, I finally looked into it and what it provided and said no. Eventually he hired a second tech and he set it up "in an afternoon." Good for him. Nobody ever used it. He also stole my high speed USB drive.
threetonesun
While Sharepoint might some day die, it will only be replaced by another piece of software that gets launched for nobody to ever use.
rocqua
SharePoint is like exchange. It will likely never die, instead becoming a hidden layer that has been papered over 100 times.
dylan604
Clearly Sharepoint is being used. Otherwise, this would not be a news story. So if every single Sharepoint user switched to another piece of software, it would be more than nobody using it.
persolb
As a mid size company that does work with government agencies, it’s near impossible to use anything ‘better’ solution. Cybersecurity requirements are getting so onerous that Sharepoint is too commercially feasible of an option to use anything else for a shared file store between organizations.
The fact that Sharepoint sucks* doesn’t matter… because anything else is seen as a risk.
* folders with lots of files are hard to scroll through because each page is lazy loaded, the automation functions are buggy, logins between different M365 tenants breaks and is not correctable by a normal site admin, human readable URL paths aren’t standard, search is shit, tables/filters are buggy, the new interface hides a bunch of the permissions logic, some things like permission groups need to be managed via outlook, etc etc. I’m sure a bunch of my gripes are technically fixable, but these aren’t things that should need a web search in order to use/fix.
kuhsaft
It’s not cybersecurity. It’s legal, trust me. For large corporations, eDiscovery is huge. Failing eDiscovery can cost a company millions. Having a bunch of different data sources makes it impossible, so companies stick with M365 as corporate policy and call it a day.
sureglymop
SharePoint is garbage. Even nextcloud is way better and it doesn't exactly have the best reputation. It can't possibly be that hard can it...
jdiez17
I have never used SharePoint but I honestly cannot imagine it being worse than Nextcloud + Collabora Office. Which I do use almost every day.
jasonvorhe
You have no idea how good you have it.
cm2187
And sharepoint in large organisations I have been at recently is now using oauth which breaks Microsoft's own sharepoint client API. That whole software is one massive waste of time and buget.
delfinom
Good news.
Teams is actually SharePoint.
It ain't going anywhere
galangalalgol
My company was using slack and mattermost and consolidated to teams... It is so bad.
1970-01-01
It's not right to victim blame but it's also not wrong. Akin to investing lots of money in a stock. If you took the risks of maintaining a public SharePoint server in 2025, here's your very bad day.
jasonvorhe
It's perfectly fine to victim blame corporations that keep kneecapping themselves. That's a hill I'm willing to day on.
CommenterPerson
Wondering if this was a self goal to, you know, get people to use this enshittified product on the cloud?
Jtsummers
There are basically two things at play here:
MS's hosted version of SharePoint. It's apparently unimpacted by this current round of attacks. DOD (since it's been brought up by other commenters) makes significant use of this.
People hosting SharePoint instances themselves. Some on-prem, some with rented computers. These are the impacted ones. It's not about "the cloud", it's about hosted SharePoint having weaknesses that were exploited and many organizations apparently leaving their SharePoint instances accessible over the open internet. These hosted instances are also probably old and unpatched which doesn't help things. Some (many?) units within DOD make use of this, but definitely not all.
fakedang
Tinfoil theory, but what if Microsoft secretly sponsored the attack so that users ditch onprem in favour of the hosted cloud version? Microsoft is in the best position to know of their own software's shortcomings and would have just needed to pay the right folks to do the dirty job.
Jtsummers
"Our product is remarkably insecure, let's convince everyone of this by sponsoring an attack so they go and buy our other product."
I mean, there are definitely stupid people everywhere, but I'd hope MS leadership isn't that stupid.
null
https://archive.ph/Ym2jZ, https://web.archive.org/web/20250721135933/https://www.washi...
https://research.eye.security/sharepoint-under-siege/
https://krebsonsecurity.com/2025/07/microsoft-fix-targets-at...
https://www.bleepingcomputer.com/news/microsoft/microsoft-re...