Microsoft SharePoint Hack Compromises Dozens of US Government Agencies — Here's What Happened

US government agencies and private businesses are facing a significant cyber threat following an unprecedented global attack on Microsoft servers.

Authorities are investigating after thousands of SharePoint servers were compromised recently, as reported by The Washington Post. Users are being advised to either disconnect their servers or modify SharePoint programs to enhance protection.

The platform is particularly useful for sharing and managing documents. These systems remain vulnerable as Microsoft has not yet fully addressed the underlying flaw, according to the report.

Attack on America's Data

'Microsoft has provided security updates and encourages customers to install them,' a spokesman said. 'We've been coordinating closely with CISA, DOD Cyber Defence Command, and key cybersecurity partners around the world throughout our response.'

The cyberattack refrains from attacking cloud-based services like Microsoft 365 and affects only systems housed within an organisation.

Researchers informed The Washington Post that at least two federal agencies have been compromised, though no additional information was provided.

This breach is categorised as a 'zero-day' attack because it exploits a previously undiscovered vulnerability.

'We are seeing attempts to exploit thousands of SharePoint servers globally before a patch is available,' Pete Renals, a senior manager with Palo Alto Networks' Unit 42, told the Washington Post.

'We have identified dozens of compromised organisations spanning both commercial and government sectors.'

Microsoft's Patchwork Problem

The US government is investigating this hack in conjunction with officials from Australia and Canada. The identity of those responsible remains unknown. Since the compromised servers frequently link to critical services like Outlook email and Teams, there are concerns that sensitive data and passwords may have been acquired.

The Satya Nadella-led tech behemoth revealed that they launched their attack by exploiting a similar vulnerability, even after the company had addressed an earlier breach this month.

'Microsoft is aware of active attacks targeting on-premises SharePoint Server customers exploiting a variant of CVE-2025-49706, which was addressed in July's Update Tuesday,' an alert to users on Saturday read.

'This vulnerability has been assigned CVE-2025-53770. This vulnerability applies to on-premises SharePoint Servers only. SharePoint Online in Microsoft 365 is not impacted.

'A patch has been made available to mitigate CVE-2025-53770 in SharePoint Subscription Edition, which customers should apply immediately.'

Who's Behind the Breach?

Netherlands-based company Eye Security told The Washington Post that the attackers might have got the keys, enabling them to breach systems again, even after a protective software update, known as a patch, is released.

The Cybersecurity and Infrastructure Security Agency (CISA) has confirmed its collaboration with Microsoft on the issue. Chris Butera, acting executive assistant director for cybersecurity at CISA, stated, "CISA was made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action.'

'Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations. CISA encourages all organisations with on-premise Microsoft SharePoint servers to take immediate recommended action.'

A History of Hacks

This incident marks the latest in a series of security setbacks for Microsoft. In 2023, the company faced intense criticism for shortcomings that enabled a Chinese hacking group to compromise government emails, including those belonging to then-Commerce Secretary Gina Raimondo.

To recap, a 2024 cyberattack on SharePoint data also resulted in the theft of millions of Americans' personal information by hackers targeting a healthcare company.

In that incident, following an attack on HealthEquity, sensitive details, including names, addresses, health histories, and Social Security numbers belonging to 4.3 million users, were obtained by malicious actors.