Microsoft Probes Leak in Early Alert System as Chinese Hackers Exploit SharePoint Vulnerabilities

Microsoft Corp. is investigating whether a leak from its Microsoft Active Protections Program (MAPP) enabled Chinese state-sponsored hackers to exploit critical SharePoint vulnerabilities before patches were fully deployed, according to sources familiar with the matter.

The investigation comes as cyber espionage attacks have compromised more than 400 organizations worldwide, including the U.S. National Nuclear Security Administration.

The timing of the attacks has raised significant red flags among cybersecurity experts. Vietnamese researcher Dinh Ho Anh Khoa first demonstrated the SharePoint vulnerabilities in May at the Pwn2Own cybersecurity conference in Berlin, earning $100,000 for his discovery.

Microsoft issued initial patches in July, but MAPP partners were notified of the vulnerabilities on June 24, July 3, and July 7.

Crucially, Microsoft first observed exploit attempts on July 7 – the same day as the final MAPP notification wave. “The likeliest scenario is that someone in the MAPP program used that information to create the exploits,” said Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative, whose company is a MAPP member.

The sophisticated attack chain, dubbed “ToolShell” by researchers, allows hackers to bypass authentication controls and execute malicious code on SharePoint servers. What makes this vulnerability particularly dangerous is that attackers can steal cryptographic machine keys, enabling them to maintain persistent access even after systems are patched.

Widespread Global Impact

The cyberattack campaign has affected organizations across multiple sectors, with Microsoft attributing the breaches to three Chinese hacking groups: Linen Typhoon, Violet Typhoon, and Storm-2603.

The National Nuclear Security Administration, responsible for designing and maintaining America’s nuclear weapons stockpile, was among the high-profile victims, though officials say no classified information was compromised.

“On Friday, July 18th, the exploitation of a Microsoft SharePoint zero-day vulnerability began affecting the Department of Energy, including the NNSA,” a Department of Energy spokesperson confirmed. The agency said it was “minimally impacted” due to its widespread use of Microsoft’s cloud services.

Eye Security, the cybersecurity firm that first detected the attacks, reported more than 400 systems actively compromised across four confirmed waves of exploitation. Victims span government agencies, educational institutions, energy companies, and private corporations from North America to Europe and Asia.

This wouldn’t be the first time the MAPP program has been compromised. In 2012, Microsoft expelled Chinese firm Hangzhou DPtech Technologies Co. for violating its non-disclosure agreement after the company leaked proof-of-concept code for a Windows vulnerability. More recently, Qihoo 360 Technology Co. was removed from the program after being placed on the U.S. Entity List.

At least a dozen Chinese companies currently participate in the 17-year-old MAPP program, which provides cybersecurity vendors with advance notice of vulnerabilities – typically 24 hours before public disclosure, with some trusted partners receiving information up to five days earlier, according to Bloomberg.

“As part of our standard process, we’ll review this incident, find areas to improve, and apply those improvements broadly,” a Microsoft spokesperson said, emphasizing that partner programs remain “an important part of the company’s security response.”

The Chinese Embassy in Washington has denied involvement, with Foreign Ministry spokesman Guo Jiakun stating that “China opposes and fights hacking activities in accordance with the law” while opposing “smears and attacks against China under the excuse of cybersecurity issues.”

The investigation highlights the delicate balance Microsoft faces in sharing vulnerability information with security partners while preventing malicious actors from exploiting advanced knowledge to accelerate attacks. Any confirmed leak would deal a significant blow to the MAPP program’s credibility and effectiveness.

As the probe continues, cybersecurity experts warn that the rapid weaponization of these vulnerabilities – from discovery to mass exploitation in just over two months – demonstrates the evolving sophistication and speed of modern cyber threats.

Experience faster, more accurate phishing detection and enhanced protection for your business with real-time sandbox analysis-> Try ANY.RUN now