Microsoft Probes Suspected MAPP Leak Enabling Chinese Hackers to Exploit SharePoint Vulnerability
2min read
Aime SummaryMicrosoft is investigating whether a suspected data leak from its
Active Protections Program (MAPP)—a cybersecurity initiative designed to preemptively address vulnerabilities—enabled Chinese hacking groups to exploit unpatched flaws in its SharePoint server software. The probe follows an emergency security update issued in July 2025 for a critical SharePoint vulnerability being actively exploited by state-affiliated cyber actors [1]. The vulnerability, first disclosed in May 2025 by Vietnamese researcher Dinh Ho Anh Khoa at the Pwn2Own conference, prompted an initial patch in July. However, Microsoft confirmed that the exploit was deployed just days after the first wave of MAPP partners were briefed on the flaw [2].The investigation centers on whether details shared with MAPP participants—security vendors and researchers granted early access to vulnerability information—were improperly disclosed, accelerating attacks. Microsoft stated that exploitation is being conducted by three groups, two of which are linked to China: Linen Typhoon and Violet Typhoon, with a third believed to be based in the region. Dustin Childs, threat awareness lead at Trend Micro, highlighted the timing correlation between MAPP briefings (June 24, July 3, and July 7) and the first exploit attempts on July 7, suggesting a "highly likely" scenario where a MAPP participant leaked the information to create the attack tools [3].
This is not the first time Microsoft has faced scrutiny over MAPP-related breaches. In 2021, the company suspected Chinese MAPP partners of leaking details about Exchange server vulnerabilities, leading to a global campaign attributed to the Hafnium group. That incident compromised tens of thousands of servers, including those at the European Banking Authority and the Norwegian Parliament [1]. A decade earlier, Microsoft terminated its partnership with Hangzhou DPTech Technologies Co., Ltd., after it violated a non-disclosure agreement. The firm had shared sensitive vulnerability data with Chinese security agencies, a practice that raised concerns about conflicting obligations under Chinese law.
Under a 2021 Chinese regulation, companies must report newly discovered vulnerabilities to the Ministry of Industry and Information Technology within 48 hours. This creates potential conflicts for firms participating in MAPP, which requires strict confidentiality. Researchers, including ETH Zurich’s Eugenio Benincasa, have noted the lack of transparency in how Chinese companies reconcile these obligations, particularly given the centralized nature of China’s vulnerability management system [4].
Microsoft has not disclosed whether the current leak has been traced to a specific partner or individual. The company affirmed it “continually evaluates the efficacy and security of all partner programs” and will implement improvements as needed. However, the incident underscores the inherent risks of insider threats in collaborative cybersecurity initiatives. MAPP, launched in 2008, aims to empower defenders by sharing pre-release vulnerability data, yet breaches like this one highlight vulnerabilities in the program’s safeguards [2].
Analysts stress that such leaks grant malicious actors a critical head start in exploiting flaws before patches are widely available. The SharePoint vulnerability, in particular, has drawn attention due to its potential to disrupt critical infrastructure. Microsoft’s rapid response—with a patch issued days after public disclosure—suggests a focus on mitigation over transparency in this case. However, the lack of public accountability for the breach raises questions about the effectiveness of current protocols [3].
The probe also intersects with broader concerns about China’s role in global cyber espionage. While Microsoft has not explicitly attributed the leaks to state actors, the involvement of China-based hacking groups aligns with historical patterns. Verifying the origin of such breaches remains complex, requiring technical forensics and diplomatic assessments.
As the investigation proceeds, Microsoft faces pressure to strengthen security frameworks without undermining trust in its partnerships. The outcome could influence how other tech firms structure threat intelligence-sharing programs, particularly in an era marked by supply chain attacks and insider threats. For now, the focus remains on containing the SharePoint vulnerability and preventing further exploitation of potential leaks [4].
Source:
[1] [Microsoft Probing Whether Cyber Alert Tipped Off Chinese ...] https://www.bloomberg.com/news/articles/2025-07-25/microsoft-sharepoint-hack-probe-on-whether-chinese-hackers-found-flaw-via-alert
[2] [Microsoft investigates SharePoint exploit leak tied to ...] https://www.cryptopolitan.com/microsoft-investigates-sharepoint-exploit/
[3] [Microsoft Probes Leak Tied To Chinese SharePoint Hack] https://finimize.com/content/microsoft-probes-leak-tied-to-chinese-sharepoint-hack
[4] [Krebs on Security – In-depth security news and investigation] https://krebsonsecurity.com/
Comments
No comments yet