Microsoft has sounded the alarm on a series of active cyberattacks exploiting critical vulnerabilities in its SharePoint Server software, widely used by businesses, government agencies, and organizations worldwide.

The tech giant is urging immediate action to apply security patches to prevent data breaches, spoofing attacks, and potential system compromises. The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) are actively monitoring the situation, with the Department of Defense Cyber Defense Command assisting in response efforts.

In a security advisory issued on Monday, Microsoft confirmed that the attacks target on-premises SharePoint Server 2016 and 2019 installations, sparing SharePoint Online, the cloud-based version integrated into Microsoft 365. The attacks exploit a previously undisclosed zero-day vulnerability, allowing attackers to bypass security measures and gain unauthorized access to sensitive systems. According to The Washington Post, which broke the story, the campaign is sophisticated and widespread, potentially affecting tens of thousands of servers globally.

The core vulnerability enables spoofing attacks over networks, where attackers can impersonate trusted users or entities to manipulate communications, steal sensitive data, or infiltrate secure systems. Cybersecurity experts warn that this flaw could allow attackers to move laterally across networks, escalating access to critical infrastructure or proprietary information. “This is a serious threat,” said Dr. Emily Carter, a cybersecurity analyst at the Center for Cyber Defense Studies. “The ability to spoof identities makes this vulnerability particularly dangerous, as it can undermine trust in internal systems.”

While Microsoft has not disclosed the exact number of affected organizations, industry estimates suggest that hundreds of thousands of SharePoint servers are deployed globally, with a significant portion running vulnerable versions. The attack’s scope has raised alarms, particularly for government agencies, financial institutions, and healthcare organizations, which rely heavily on SharePoint for document management and collaboration.

Preliminary reports indicate that the campaign may involve state-sponsored actors, given the sophistication of the zero-day exploit and the targeting of high-value systems. “This bears the hallmarks of advanced persistent threats (APTs), often linked to nation-state groups,” said Mark Reynolds, a former NSA cybersecurity specialist. “The focus on enterprise-grade software like SharePoint suggests a strategic effort to compromise critical infrastructure.”

Microsoft is working closely with CISA, the FBI, and the Department of Defense Cyber Defense Command to address the threat. “We’ve been coordinating with federal and private-sector partners globally to contain this incident,” a Microsoft spokesperson said. “Security updates are available, and we strongly urge customers to apply them immediately.”

For organizations unable to deploy patches promptly, Microsoft recommends temporarily disconnecting vulnerable servers from the internet to reduce exposure. The company has also provided interim mitigation steps, including enabling enhanced malware protection and restricting network access to SharePoint servers. Patches for SharePoint Server 2016 and 2019 are being rolled out, with Microsoft warning that unpatched systems remain at high risk.

This incident is the latest in a string of high-profile cyberattacks targeting enterprise software. In 2024 alone, vulnerabilities in widely used platforms led to significant breaches, including the SolarWinds hack anniversary attacks and exploits targeting Microsoft Exchange Server. Experts attribute the rise in such incidents to the growing sophistication of foreign-backed hacking groups and the increasing reliance on interconnected IT systems.

CISA Director Laura Simmons emphasized the need for vigilance: “Organizations must prioritize timely patching and adopt a proactive cybersecurity posture. Zero-day exploits like this one highlight the evolving threat landscape.”

Microsoft has issued urgent guidance for SharePoint Server users to protect against ongoing cyberattacks, urging organizations to apply security updates immediately for SharePoint Server 2016 and 2019. Users are advised to review Microsoft’s security advisory for detailed mitigation strategies, closely monitor network activity for signs of unauthorized access or spoofing attempts, implement multi-factor authentication (MFA), and restrict server access to trusted users. Additionally, organizations should engage cybersecurity experts to assess and strengthen network defenses to mitigate risks and safeguard sensitive systems. Organizations are also encouraged to consult CISA’s Known Exploited Vulnerabilities Catalog for additional guidance on protecting against active threats.

As cyber threats continue to evolve, experts stress the importance of regular software updates, employee training, and robust incident response plans. The SharePoint attacks underscore the risks of relying on outdated or unpatched systems, particularly for organizations handling sensitive data.“

This is a wake-up call for enterprises still running on-premises infrastructure,” said Dr. Carter. “The cost of inaction could be catastrophic, from data loss to reputational damage.”

For more information, organizations should visit Microsoft’s official security advisory at microsoft.com/security or contact CISA for support at cisa.gov/report. The FBI has also set up a dedicated hotline for reporting related incidents. (ILKHA)