kras99 - stock.adobe.com

Microsoft SharePoint attacks target on-premises servers

Thousands of organizations, including government agencies, running SharePoint on-premises are vulnerable after Microsoft issued a security alert warning of active attacks.

Microsoft over the weekend acknowledged active attacks targeting on-premises SharePoint servers, potentially affecting thousands of businesses and government agencies.

Security research firm Eye Security first reported the exploit Friday night, saying it found dozens of systems across more than 8,000 SharePoint servers actively compromised during two waves of attacks on Friday and Saturday.

Microsoft on Saturday released fixes for the zero-day attacks targeting SharePoint 2019. But as of Monday morning, risks to SharePoint 2016 were still active. The company said on X that it is working on a patch.

Chris Butera, acting executive assistant director for the cybersecurity division at CISA, said the government is working with Microsoft to quickly address the attacks. "Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations," he said in a statement.

A March post from Cloudwell claims about 40% of organizations in the U.S. run SharePoint on-premises. While Microsoft has pushed users to adopt its cloud SharePoint products, many customers -- including government agencies -- still use on-premises SharePoint servers because of cost and security concerns.

That leaves many thousands of organizations and millions of users globally at risk for this latest attack.

This is a high-severity, high-urgency threat.
Michael SikorskiCTO and head of threat intelligence for Unit 42, Palo Alto Networks

"What makes this especially concerning is SharePoint's deep integration with Microsoft's platform, including their services like Office, Teams, OneDrive and Outlook, which has all the information valuable to an attacker," Michael Sikorski, CTO and head of threat intelligence for Unit 42 at Palo Alto Networks, said in a statement. "A compromise doesn't stay contained -- it opens the door to the entire network."

He added, "This is a high-severity, high-urgency threat."

Sikorski said attackers are bypassing multifactor authentication and single sign-on identity controls to gain privileged access, enabling them to grab sensitive data and steal cryptographic keys. He said patching alone might not be enough to remove the threat, since attackers have gained backdoor footholds.

What to do now

Microsoft said affected customers should apply the latest security updates, including the July 2025 Security Update, ensure Antimalware Scan Interface is turned on, configured correctly and uses antivirus software, deploy Microsoft Defender for endpoint protection and rotate SharePoint Server ASP.NET machine keys.

Security updates are available for SharePoint 2019 and SharePoint Enterprise Server 2016. Microsoft said organizations unable to immediately apply patches should disconnect servers from the internet.

Informa TechTarget has reached out to Microsoft for further comment.

Shane Snider, a veteran journalist with more than 20 years of experience, covers IT infrastructure at Informa TechTarget.

Dig Deeper on Content management software and services