Global hack on Microsoft Sharepoint hits U.S., state agencies, researchers say

767 points by spenvo 2 days ago

https://archive.ph/Ym2jZ, https://web.archive.org/web/20250721135933/https://www.washi...

https://research.eye.security/sharepoint-under-siege/

https://krebsonsecurity.com/2025/07/microsoft-fix-targets-at...

https://www.bleepingcomputer.com/news/microsoft/microsoft-re...

It’s kind of wild how we end up here over and over, a big government breach, angry headlines, but the tech never seems to change (imo). If you work in IT, this whole SharePoint story is probably a deja vu,

A few real-world points that stood out to me:

- SharePoint (and a lot of other MS stuff) didn’t win because it was bulletproof, just because it was bundled “FREE” and nobody got fired for rolling it out in the 2000s. Once you’re deep into the Microsoft ecosystem, the cost and pain of replaccing is huge!

- Security honestly feels like a service for a lot of giants. When someone asks if it’s the number one priority, the answer from experiencem, is “no.” Cost, compliance available support, and how easy it is to blame a vendor if things fail tend to matter more.

- When people say Linux would be more secure in these environments, maybe. But if Linux or Red Hat took over everywhere, you can bet it would become the juiciest target immediately. Right now, Windows gets a lot of attention because it’s everywhere. And obviously, attackers like to go where the odds of a big payoff are highest.

- A lot of giants aren’t making decisions based only on security or technical merit. It’s about familiarity, employee training costs, consulting partners, and “safe” bets. If you pick Microsoft and get breached, it’s an industry problem. If you pick something niche and get breached... it’s 100% your fault.

- Resistance to change is real. Swapping out platforms isn’t just a technical lift. Management, end users, even IT staff get pretty set in their ways.

Honestly, unless there’s enough public backlash or a relgulation hammer, I don’t see the inertia breaking any time soon. For most companies, “patch and carry on” still beats “burn it all down and start fresh.”

jon-wood - 8 hours ago

While I agree with you on most points, security is never the number one priority. If it were we'd all destroy our computers, never write anything down, and simply accept the collapse of society. Security is always weighed against many other priorities such as authorised users being able to access data, and ease of use. A unique 128 character password for each document would have high security, but be widely considered unacceptable even in a system handling classified material.
- daymanstep - 8 hours ago
  
  Security is not only Confidentiality, Availability is also a part of the triad.
  - stevenAthompson - 6 hours ago
    
    This is the crux of the issue. The CIA triad (confidentiality, integrity and availability) are the root of all security. However, those goals are often self-contradictory.
    There will always, for example, be a conflict between availability and confidentiality. Ultimate confidentiality might require that the data be stored in an inaccessible bunker with no outside access. Ultimate availability might involve hosting sensitive data on a publicly accessible server with no access controls.
    In the real world we must always balance these needs carefully, and triage available resources to achieve an "ideal" outcome. This means that security will never, and can never, be a solved problem.
- kibwen - 8 hours ago
  
  > If it were we'd all destroy our computers, never write anything down, and simply accept the collapse of society.
  No, this is the same sort of defeatism that prevents us from making progress on security. We could engineer usable systems where actual security is a priority, and not just security theater. We don't because nobody in a position to change anything actually gives a shit.
  - jon-wood - 6 hours ago
    
    You can engineer systems where security is a priority. You can't engineer useful systems where security is the priority.
    
    rexer - 5 hours ago
    
    You’re implying any real system can have a single top priority, which is equally false. There are always multiple priorities, and the one sitting at the top changes based on the context
  - mpyne - 6 hours ago
    
    > We could engineer usable systems where actual security is a priority,
    Security is a priority. But it's not the only priority.
    It would be difficult engineering even if it was the only priority, but given that there's little point to security for a system you never deploy, it's not likely to ever completely monopolize focus, either for users or implementers.
    
    autoexec - 4 hours ago
    
    At this point i don't think security is a priority at all for companies like MS. Marketing themselves has having security is a priority. Doing the bare minimum to avoid lawsuits is their priority.
    Ultimately though, they know that no matter how many times their failure to invest in security results in their customer's data being compromised or destroyed they'll keep making money.
    Their customers are corporations who have insurance to cover their expenses when Microsoft's failure to make security a priority inevitably leads to a breech and those corporations are able to avoid all accountability for their decision to use Microsoft products no matter who else gets hurt as a result.
    Dealing with yet another security issue caused by Microsoft is just another cost of doing business. It's still cheaper and/or easier for the corporations to keep MS and deal with the endless vulnerability/patch cycle than it is to move to something else and pay people who know what they're doing to manage those new systems so nothing changes.
- - 6 hours ago
  
  [deleted]
- matt123456789 - 6 hours ago
  
  "Sorry, you can’t use that password to encrypt this email. It’s already being used on NUCLEAR_CODES_2 (final) (2).docx. Please try another password."
graemep - 5 hours ago

> When people say Linux would be more secure in these environments, maybe. But if Linux or Red Hat took over everywhere, you can bet it would become the juiciest target immediately.
I do not think that is the only difference between Windows and Linux though.
For one thing Linux has multiple distros, some very varied. Its less of a monoculture. If Linux was more widely used it would also get grater usage for BSDs because a lot of things that run on Linux will run on them too.
Linux IS very widely used on servers, and on Chromebooks, and embedded. The kernel and a few other bits are widely used on phones too.
- sirjaz - 5 hours ago
  
  Look at Android. It is more of a leaky sive than Windows now.
  - autoexec - 4 hours ago
    
    Android was designed from day one specifically to be a leaky sieve that funnels as much of your personal and private data to Google and their partners as possible. They're left with the impossible task of making it harder for third parties to gain access to the data they're collecting without making it too hard for them to collect it for themselves.
mixdup - 42 minutes ago

Something to understand here is that Sharepoint is not Windows. Sure it runs on Windows, but the vulnerability here was the application. Are we going to argue that applications that run on Linux cannot have security vulnerabilities? Especially large archaic enterprisey things like this?
I bet Oracle and SAP have similar types of things happen to their application suites but no one runs public websites on Oracle eApplications (yeah, plenty of companies have that exposed to the internet, but it's not The Company's Website)
p_ing - 7 hours ago

> SharePoint (and a lot of other MS stuff) didn’t win because it was bulletproof, just because it was bundled “FREE”
In what world has SharePoint Server and SharePoint Standard + Enterprise User CALs ever been "FREE"?
> Security honestly feels like a service for a lot of giants.
While code security is on Microsoft, infrastructure security is on the organization deploying SharePoint Server.
Remember, the topic you're commenting on is about SharePoint Server. Not M365. Not SPO.
- eddythompson80 - an hour ago
  
  > In what world has SharePoint Server and SharePoint Standard + Enterprise User CALs ever been "FREE"?
  Yeah.. I think people say "bundled FREE" when they really referring to MS enterprise packages. It's similar to how Comcast will sell you TV for $100, land line for $20, internet for $100, but you can get a TV/land line package for $90? or a TV/internet for $130. You can "bundle FREE" phone on your TV/internet package for an extra $5. (And yes, I heard support before tell me "For $10 more a month, you get a free upgrade to 1Gbps". ???? How is that free? They will say "It's the same package, but one level up for $10 more. It comes with free 1Gbps upgrade. what doesn't make sense?"
kuhsaft - 7 hours ago

The issue isn’t Windows vs Linux. It’s an application security exploit and it just so happens that it only runs on Windows.
SharePoint Server is widely used and is a high value target.
Atlassian Server products have had their fair share of 0-day exploits. Atlassian also EOL their server products and forced a cloud migration.
skeeterbug - 7 hours ago

> Right now, Windows gets a lot of attention because it’s everywhere.
I disagree with this take. Linux dominates in the server market.
- gjsman-1000 - 6 hours ago
  
  Yeah... but mostly external services.
  Meanwhile, Windows is running the crown jewels for operations inside the company, like SharePoint and Active Directory.
arccy - 8 hours ago

with microsoft's history of insecurity, if you pick microsoft (or azure) and get breached, it's totally on you.

poemxo - 21 hours ago

We need more Red Hat and less Microsoft in the on-prem enterprise business. These exploitable vulnerabilities are unacceptable when your customers are the likes of DoD.

No one considers Google anything less than an impenetrable fortress, but when it's some government entity responsible for keeping American lives safe it's like "ah yeah they probably have a vulnerable on-prem Sharepoint that could easily be pwned."

So why is this? Why do Microsoft products enjoy a monopoly on the server in these sectors when more secure (Linux-based) options are far cheaper and widely deployed already? Isn't security the number one priority in those spaces?

PeterStuer - 13 hours ago

"Why do Microsoft products enjoy a monopoly on the server ...?"
They don't. There's plenty, even a majority, of non-Windows servers in gov (I know, some depts are true MS shops).
Sharepoint is one of those things that snuck in via the desktop. It was touted by MS as an evolution of shared folders with "Intranet" features included. If you already ran a Windows Server for fileshares, Sharepoint was "free".
The initial few implementations were of extremely poor quality, even by MS standards, but SP was positioned in the MS channel as the future of MS server side application development. So all of the consultancy/sales channel jumped on the SP wagon for any custom server projects.
For developers, it was a nightmare. Underneat the platform was a frankensteinian horror of bits and pieces of resurected code from many departments and projects across MS crudely bolted together with chewing gum scraped of a park bench and bits of string recovered from old fish guts. Lists (SP's core structure for file directories with exposed metadata properties) could not work reliably, the system fell over under even light load, latency was totaly unaceptable even for basic operations, files did not rountrip through the server unchanged ...
Over the years MS cut it down from "the future platform for custom backoffice apps" to "out of the box Intranet with mainly cosmetic configuration options" to "cloud hosted office 365 shared folders".
" Isn't security the number one priority in those spaces?"
No. It's exacly like every other IT environment of comparable size. Security is considered important, but does not drive sales. Features and cost, but also available expertise from the supplier/channel partners dominates the choice. Security is covered by promises and certifications, but more often than not left to operations to patch up.
- ubermonkey - 8 hours ago
  
  I was involved in a software startup that was aligned with MSFT 18 or so years ago. We built the web app side of our tool in Sharepoint precisely to be a good team player, and make ourselves more attractive to Redmond, even though it gave us no real benefits.
  The support problems were INSANE. We ended up spending an entire release cycle pulling the web app out of Sharepoint and just doing a proper stand-alone web site. Support calls plummeted.
  Sharepoint is something only a marketer could love.
  - ethbr1 - 7 hours ago
    
    Sharepoint’s problem, as parent alluded to, is that it’s three kids in a trenchcoat pretending to be an adult.
    At no time did MS seem to say “Here’s our vision for Sharepoint as a complete product.”
    Instead, you got coming on 25 years of random big customer feature asks + a home for lost MS product bits.
    It would surprise no one that performance of that has been atrocious for most of its life (for those not old enough, think non-functional search and 20s page loads for on-prem instances), salvaged only semi-recently via the cloud managed version (that I’d guess runs on a ground-up backend reimplementation).
- tanseydavid - 7 hours ago
  
  >> The initial few implementations were of extremely poor quality, even by MS standards, but SP was positioned in the MS channel as the future of MS server side application development. So all of the consultancy/sales channel jumped on the SP wagon for any custom server projects.
  The gaslighting around this matter was intense. It destroyed any remaining trust I had at that point.
benterix - 12 hours ago

It all started with Novell Netware. It was a great product and companies would buy it to have centralized management. Microsoft noticed this and decided to use their power position to drive Novell out of the market by offering a similar service and have it built in in their server product line. Novell tried to fight but it didn't last long.
The protocol was proprietary and an open source implementation in Samba was very slow at catching up. If you decided to host a domain controller using it, you newer knew if a random disconnect was a network issue or the controller or the client.
And here we are. Active directory, or Entra or however they call it these days, is basically a standard way to manage users everywhere. And until a strong entity (EU?) comes up with strong backup towards an alternative solutions (we have plenty of them now), the situation will not change.
- ExoticPearTree - 10 hours ago
  
  > Active directory, or Entra or however they call it these days, is basically a standard way to manage users everywhere. And until a strong entity (EU?) comes up with strong backup towards an alternative solutions (we have plenty of them now), the situation will not change.
  You still have Active Directory on premise and now you have EntraID (formerly Azure AD) in the Azure cloud.
  For Windows devices, it is the only mechanism supported to have a centralized management system.
  For other systems, such as MacOS, you have alternatives that don't require any centralized user database.
  Most cloud-native companies today rely on Okta or Amazon Cognito for their applications. Google Workspace supports this too, but it is incredibly basic at what it can do.
  I don't think there's nothing that anyone can do to make this different.
  And just to nitpick a little, it's like saying the smartphone reduced the camera market because of its dominant position. It didn't, it just provided convenience when there was none (a phone, a camera, a video recorder...).
resonious - 14 hours ago

I do wonder if the fact that these vulnerabilities get exploited so often is because the customers are the likes of DoD. If DoD used Red Hat, maybe we'd see more large-scale linux/freedesktop exploits being discovered.
- bartread - 11 hours ago
  
  I think there's certainly an element of tall poppy syndrome here. Windows, for example, used to be targeted because its security was a complete joke until quite late in the XP era (SP3 IIRC). But there's always been, and still is, and element that it's targeted because it's a big, juicy target.
  A huge portion of the desktop and server market are running Windows. It used to be almost all Windows, at least on the desktop. Nowadays mobile computing has become far more important so Windows doesn't have the end user dominance it once did, but there are still a huge portion of end user devices running Windows.
  Same on the back end: it's just a big juicy target, and the bang for buck that hackers get from it is huge given how prevalent it remains in corporate and government environments.
  - dijit - 10 hours ago
    
    yet nearly all internet facing servers are linux; and we don't see the same volume of issues.
    
    hnlmorg - 10 hours ago
    
    I hate Microsoft products as much as the next person, but I don’t think your statement is entirely fair:
    SharePoint isn’t Windows. It’s a Microsoft product that’s only available for Windows Server. But it’s not Windows.
    The reason I make that distinction is because if you widen the scope of services available on Linux then you might come a lot closer to the same volume of issues.
    For example, take a look at how frequently CVEs are raised against popular CMSs.
    
    graemep - 5 hours ago
    
    > For example, take a look at how frequently CVEs are raised against popular CMSs.
    One popular CMS in particular?
    
    dijit - 10 hours ago
    
    Sure, I get the point, a more apt comparison might actually be RedHat though, since they're doing E2E packaging for a product suite.
    I mean, Linux isn't even Linux - At the risk of invoking a meme: Linux is actually GNU + Linux; and even then there's a web-server on top, and software that it runs.
    So, a working comparison might be Wikipedia? As far as I understand it; that's the largest CMS on the planet.
    
    kuhsaft - 6 hours ago
    
    The closest comparison to SharePoint is probably a combination of Zoho Connect, Zoho WorkDrive, and Zoho Flow. Zoho's office suite also integrates with WorkDrive and has collaborative editing. They even have a desktop app for Writer.
    Even then, SharePoint is more of a platform. You can build SharePoint apps and extend it.
    There isn't a comparison for SharePoint Server. There really isn't any single thing like it for on-premise.
    
    hnlmorg - 9 hours ago
    
    Neither Wikipedia nor Redhat are as big targets as Microsoft’s ecosystems. Not even remotely.
    
    dijit - 9 hours ago
    
    ok, nginx+linux power nearly every website, is that close enough of a sizable target?
    As mentioned, even if we exclude websites, Linux is a pretty enormous target. Much more enormous than microsoft - by an order of magnitude or more, yet: we don’t seem to have these kind of issues. Curious, don’t you think?
    
    notakio - 9 hours ago
    
    Very curious. Just based on the incidents we see, and analyze over time, almost all of them are compromised Windows systems. When I say "almost", I'll provide these stats: ~4500 Windows incidents over 5 years, vs. two Linux incidents.
    Similarly, looking at vulnerability counts by vendor doesn't paint a rosy picture of our largest vendor Microsoft, either. But it pales in comparison to the incident statistics, which speak for themselves.
    To Microsoft's credit, they've managed to turn their weaknesses into a secondary industry, wherein they now no longer sell just the disease, they also sell the cure. "Oh, your Windows systems have security problems? Have we told you about our expansive security solutions? They're only an additional $your_budget_doubled per year!"
    
    hnlmorg - 9 hours ago
    
    Nginx doesn’t have the same attack surface.
    Microsoft’s back office suite is massive. So you’re talking about Nginx + a CMS + online office suite + video conferencing + identity providers and so on and so forth.
    There isn’t really a direct comparison in the FOSS world. It’s either smaller in scope or smaller in terms of high profile organisation adoption.
    This is why I think it’s easier to ignore the “Linux” part. Not because Linux is technically a kernel, but because there isn’t a directly comparable solution that targets Linux / GNU or whatever other base OS moniker you want to use. Same is true for BSD, Darwin and so on.
    The alternatives to Microsoft’s dominance are typically more narrow in scope and usually proprietary too (eg Okta for identities, Google Docs for O365, etc)
    Does this mean that Microsoft products are secure? Not really. It just means we cannot make a fair comparison against FOSS when it comes to these specific types of attacks.