Microsoft Identifies Chinese Hacking Groups Behind Ongoing SharePoint Server Attacks

Microsoft has identified three China-based hacking groups, Linen Typhoon, Violet Typhoon, and Storm-2603, as responsible for ongoing attacks on its SharePoint file-sharing system. The hackers exploited vulnerabilities in the platform to gain access to sensitive information. Linen Typhoon has been active since 2012 and focuses on intellectual property theft, while Violet Typhoon has targeted former government and military personnel, NGOs, and the financial sector. Storm-2603 has been linked to similar attacks in the past.

Microsoft Security Response Center (MSRC) has recently published a blog detailing active attacks against on-premises SharePoint servers, exploiting vulnerabilities CVE-2025-49706 and CVE-2025-49704. These vulnerabilities, affecting only on-premises SharePoint servers, are being targeted by several threat actors, including Chinese nation-state groups Linen Typhoon and Violet Typhoon, as well as Storm-2603.

Microsoft has released comprehensive security updates for all supported versions of SharePoint Server, including Subscription Edition, 2019, and 2016, to protect customers against these vulnerabilities. The updates address newly disclosed security vulnerabilities and security bypass issues related to the previously disclosed CVE-2025-49704 and CVE-2025-49706.

Threat actors have been observed conducting reconnaissance and attempting exploitation through a POST request to the ToolPane endpoint. Post-exploitation activities include deploying web shells and stealing sensitive information, such as MachineKeys. Microsoft has provided indicators of compromise (IOCs) and hunting queries to help organizations identify and mitigate these threats.

The observed tactics and techniques align with previously identified activities of these threat actors. Linen Typhoon, active since 2012, focuses on intellectual property theft, primarily targeting government and defense-related organizations. Violet Typhoon, since 2015, has been dedicated to espionage, targeting former government personnel, NGOs, and the financial sector. Storm-2603, a China-based threat actor, has been linked to similar attacks in the past.

Microsoft recommends customers to use supported versions of on-premises SharePoint servers with the latest security updates. To mitigate these vulnerabilities, organizations should integrate and enable Antimalware Scan Interface (AMSI) and Microsoft Defender Antivirus, configure AMSI to enable Full Mode, rotate SharePoint server ASP.NET machine keys, restart Internet Information Services (IIS), and deploy Microsoft Defender for Endpoint or equivalent solutions.

Microsoft Defender XDR customers receive coordinated protection across endpoints, identities, email, and cloud apps to detect and respond to these threats. The Defender coverage includes protection against initial access through the use of known vulnerabilities to exploit internet-facing SharePoint servers.

Organizations are advised to apply these updates immediately to ensure protection against ongoing and potential future attacks. Further details and updates will be provided as Microsoft's investigation continues.

References:
[1] https://www.microsoft.com/en-us/security/blog/2025/07/22/disrupting-active-exploitation-of-on-premises-sharepoint-vulnerabilities/