Microsoft SharePoint hack: An active cybersecurity incident could impact tens of thousands of servers

On July 19, Microsoft alerted users that it was experiencing an active cyberattack on its SharePoint servers, which allow organizations to share and manage documents.

According to The Washington Post, the attack—which is still ongoing—has likely put “tens of thousands” of servers at risk, including several hosted by federal agencies, universities, and energy companies, which have reportedly already been breached.

According to a blog posted by Microsoft, the hack only impacts SharePoint servers housed within an organization, and not those in the cloud through SharePoint Online in Microsoft 365.

For Microsoft, this latest breach comes after a series of other security concerns in recent years. Last January, the tech giant reported that hackers backed by Russia had successfully stolen some of the company’s source code, and, the following April, a federal review board found that Microsoft was at fault for security flaws that led to a Chinese hack of U.S. government officials’ emails.

Here’s what to know about this latest hack:

What’s happened?

The Netherlands-based research company Eye Security was the first to identify what it called “large-scale exploitation of a new SharePoint remote-code execution (RCE) vulnerability chain in the wild” on the evening of July 18.

The hack was what’s known as a “zero-day attack,” meaning it took advantage of a previously unknown hole in Microsoft’s security system, leaving the company without any immediate way to patch the problem.

Eye Security’s report found “dozens of systems actively compromised” between two waves of attack on July 18 and July 19. Per the firm’s findings, the bug allows hackers to take private digital keys from SharePoint without any login credentials, enter an organization’s servers, remotely plant malware, and gain access to the available files and data.

Further, Eye Security warned, because SharePoint connects with other apps like Outlook and Teams, “a breach can quickly lead to data theft, password harvesting, and lateral movement across the network.”

Both the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have confirmed that they’re actively working to assess the hack. The party (or parties) responsible is still unknown.

Who has been impacted so far?

According to a blog post from CISA on July 20, the scope of the hack is unclear so far. However, several private researchers informed The Washington Post that the impact could be widespread. 

Pete Renals, a senior manager with the cybersecurity research firm Unit 42, told the publication, “We are seeing attempts to exploit thousands of SharePoint servers globally before a patch is available. We have identified dozens of compromised organizations spanning both commercial and government sectors.’’ 

Multiple anonymous researchers claimed that at least two U.S. federal agencies have seen their servers breached. Further, Randy Rose, the vice president of the nonprofit Center for Internet Security, shared that the organization notified about 100 organizations—including public schools and universities—that they were vulnerable and potentially compromised.

“Anybody who’s got a hosted SharePoint server has got a problem,” Adam Meyers, senior vice president with the cybersecurity firm CrowdStrike, told The Washington Post. “It’s a significant vulnerability.’’

What is Microsoft doing about this?

After its initial announcement of the hack on July 19, Microsoft followed up on July 20 with several updates. The company rolled out emergency patches for users of SharePoint Subscription Edition and SharePoint 2019, which can be downloaded right away.

As of this writing, developers are still working to devise patches for supported versions of SharePoint 2019, as well as SharePoint 2016.

What should I do if my organization hosts a SharePoint server?

In an email to TechCrunch, Michael Sikorski, the head of Unit 42, advised that any organization with SharePoint on-premise “should assume that you have been compromised at this point.” 

To mitigate potential attacks, Microsoft suggests the following steps:

1. Use supported versions of on-premises SharePoint Server
2. Apply the latest security updates, including the July 2025 Security Update
3. Ensure the Antimalware Scan Interface (AMSI) is turned on and configured correctly, with an appropriate antivirus solution such as Defender Antivirus
4. Deploy Microsoft Defender for Endpoint protection, or equivalent threat solutions
5. Rotate SharePoint Server ASP.NET machine keys

Microsoft’s blog post provides detailed instructions on how to follow each of these directives. When reached for additional comment on the hack, Microsoft directed Fast Company back to the blog.