A major Microsoft cyberattack has hit around 100 organisations worldwide, after hackers found a way into the company’s widely used SharePoint software. Security researchers say the attack appears to be a coordinated spying effort—and it’s still going.
The attack targets organisations running on-premise SharePoint servers, a tool used by many companies to manage internal documents and communications. By breaking into these systems, attackers were able to steal encryption keys and install backdoors, giving them long-term access to sensitive networks.
Most of the confirmed victims are based in the U.S. and Germany. The targets include a mix of government agencies, energy firms, hospitals, financial institutions, and auditing companies. Experts worry that thousands more may still be vulnerable.
“Right now, it looks like over 8,000 servers haven’t been patched,” said one security researcher involved in the investigation. “That means a lot of organisations are still wide open.”
Microsoft patched the vulnerability, tracked as CVE-2025-53770, after discovering the breach. But even with the fix, the danger isn’t over. If hackers already planted backdoors before the patch was applied, they may still have access.
Microsoft hasn’t publicly named the group responsible. But analysts at Google say the activity points to a state-backed actor based in China. Other researchers believe more hacking groups have since joined in, using the same weakness.
In response, authorities including the FBI, CISA, and UK’s National Cyber Security Centre are working with affected organisations. They’re urging companies to go beyond patching: reset credentials, check logs for suspicious activity, isolate affected servers, and prepare for possible follow-up attacks.
For now, many organisations are still trying to understand how deep the breach goes. Some may not realise they’ve been compromised yet. As one analyst put it, “The hard part isn’t fixing the bug—it’s knowing who’s already in your systems.”
