If They Can Hit A Nuclear Agency, They Can Breach You: What the SharePoint Exploit Means For Your Business

The SharePoint exploit was used on high-profile victims including the US National Nuclear Security Administration, the Department of Homeland Security, the Department of Energy and the Department of Health and Human Services, but many others were also hit in the fall-out. Here’s what that means for you.

On July 20, Microsoft issued an emergency patch along with a warning, after attackers were found actively exploiting a critical vulnerability in SharePoint on-premises servers to bypass authentication. If successful, adversaries would be able to access private SharePoint content, including internal configurations and file systems.

It soon emerged that the flaw tracked as CVE-2025-53770 and a variant CVE-2025-53771, collectively known as ToolShell, were being used to distribute ransomware.

Days later, it became clear that the SharePoint fix came after a failed security patch earlier in the month. Microsoft conceded that its initial solution to the flaw – identified at a hacker competition in May – did not work, forcing it to release additional patches to resolve the issue.

By then, China-nation state adversaries including Linen Typhoon and Violet Typhoon – as well as the gang Storm-2603 – had claimed victims including the US National Nuclear Security Administration, the Department of Homeland Security, the Department of Energy and the Department of Health and Human Services.

Microsoft also admitted that other groups were using the vulnerability more widely, with ransomware included as part of attacks. It’s thought the Microsoft SharePoint ToolShell attacks saw adversaries compromising 396 SharePoint systems across more than 145 organizations in 41 countries.

With such high-profile targets, the SharePoint attacks might feel far removed from everyday business. Yet the incident should be wake-up call for any organization relying on Microsoft services, cloud platforms or on-premises collaboration tools. If attackers can persist in hardened government environments, they can easily exploit vulnerable business systems using the same tactics.

So, what does the SharePoint exploit mean for businesses, and how can you improve your security posture to avoid being caught in the cross-fire of attacks such as these?

Security by Obscurity

The SharePoint ToolShell attacks demolished the dangerous myth of ‘security by obscurity’: The false belief that smaller organizations won’t be targeted because they’re not important enough, Dario Perfettibile, vice president and GM of European operation at Kiteworks tells ISMS.online.

The breach’s “massive scope” reveals how modern cyber-attacks “use automated exploitation to target vulnerabilities at scale”, rather than just focusing on specific organizations, he says. “With over 9,300 SharePoint servers exposed online, attackers used automated scanning to identify thousands of vulnerable systems and exploited everything they found.”

The campaign’s evolution from state-sponsored espionage to opportunistic ransomware attacks “perfectly illustrates this”, says Perfettibile. “Storm-2603 saw exposed servers as monetisation opportunities.”

The SharePoint exploits also highlighted how patching alone doesn’t always solve the issue, if attackers are already hiding in systems following initial access. In the case of SharePoint, attackers used stealth techniques that persisted even after patches, exploiting weak internal controls.

The exploit itself is concerning enough, but another thing to consider is how the attackers operate once they’re inside, says Pierre Noel, field CISO EMEA at Expel. “They’ve commoditised techniques such as ‘living off the land’, using the same admin tools your IT team relies on. What used to be reserved for sophisticated attackers is now baked into every ransomware playbook.”

With this in mind, the same tactics used for espionage at the national level can “just as easily be turned against a mid-market retailer or healthcare provider”, he warns.

Poor Visibility

Adding to the risk, many organizations have poor visibility of their collaboration tools, leaving blind spots in risk assessments. While collaboration tools are critical for productivity, they “rarely get the same level of monitoring as endpoints or firewalls”, says Noel. “Logs are incomplete, security integrations are an afterthought, and most risk assessments skip them entirely, leaving the platforms where employees actually operate unmonitored and exposed.”

Microsoft E3 licenses can throttle security logs under load and delay delivery up to 72 hours, while most platforms only retain audit logs for 90 days to one year, says Perfettibile. “This is far too short, when forensic investigations revealed SharePoint compromises occurred months before detection.”

This “fragmented monitoring” also creates “perfect conditions for undetected data exfiltration”, Perfettibile warns. “Attackers can distribute their activities across multiple platforms to stay under each system’s individual detection thresholds, while security teams lack the cross-platform behavioural analysis needed to spot patterns.”

Security Measures

The SharePoint attacks are a reminder that all businesses are vulnerable to breaches, even if attackers are seen hitting high-profile targets first. Taking this into account, there are some key steps you can take now protect yourself.

Saeed Abbasi, senior manager, product management at Qualys Threat Research Unit advises firms to undergo “an emergency discovery audit” to map their entire SharePoint attack surface, both on-premises and online. “Identify every internet-exposed asset, its version and its owner, then triage for remediation based on exposure and exploitability, pushing critical patches under aggressive service level agreements.”

For any asset where immediate patching is not possible, Abbasi recommends applying “advanced remediation techniques” – such as isolating the host or implementing temporary mitigations – until a permanent fix can be deployed.

Simultaneously, it’s a good idea to harden all configurations. “Enforce multi-factor authentication and conditional access, revoke public access and audit third-party plugins,” Abbasi says.

More broadly, to protect against SharePoint-style attacks, organizations must implement zero-trust architecture that verifies every request, even those from “trusted” internal systems, Perfettibile advises. “This is important since attackers used legitimate tools and stolen cryptographic keys to maintain persistence after initial compromise.”

Critical data segmentation is “essential”, he adds. “Isolate collaboration platforms from core business systems, enforce least-privilege access by default rather than open sharing, and ensure that a breach in one platform cannot cascade across your entire infrastructure.”

Frameworks such as ISO 27001 that help assess your individual risk can also reduce the chance of being caught out by vulnerabilities such as the SharePoint flaw.

As part of this, regular tabletop exercises simulating collaboration platform breaches are useful for exposing blind spots. “Test whether your team can detect stolen authentication keys, identify lateral movement between platforms and execute containment when patches themselves have been bypassed,” says Perfettibile.

At the same time, firms can assess their Microsoft supply chain risks by understanding that they are vulnerable to multi-tenant breaches affecting other organizations, says Perfettibile. “Microsoft controls your encryption keys, making you susceptible to blind subpoenas, and third-party SharePoint plugins create additional attack vectors.”