Dozens of US government agencies and businesses are under attack following an unprecedented global hack on Microsoft servers.
Authorities are investigating after tens of thousands of SharePoint servers were compromised in the last few days, The Washington Post reports.
The platform is used to share and manage documents. They remain at risk as Microsoft is yet to fix the flaw, per the outlet.
Users are being urged to take the servers offline or make changes to the SharePoint programs to protect themselves.
‘Microsoft has issued security updates and urges customers to apply them,’ stated a spokesperson. ‘Throughout our response, we’ve worked closely with CISA, DOD Cyber Defense Command, and major cybersecurity partners worldwide.’
The cyber attack does not target cloud-based services, such as Microsoft 365, and only impacts those housed within an organization.
At least two federal agencies have been breached, researchers told the Washington Post although no further details were given.
The breach is classed as a ‘zero day’ attack as it targets a previously unknown vulnerability.
Dozens of US government agencies and businesses are under attack following an unprecedented global hack on Microsoft servers
Authorities are currently investigating after tens of thousands of SharePoint servers were breached recently. Pictured: Microsoft Chairman and CEO Satya Nadella
‘We are witnessing attempts to exploit thousands of SharePoint servers worldwide before a patch has been released,’ Pete Renals, a senior manager at Palo Alto Networks’ Unit 42, informed the Washington Post.
‘We have identified dozens of compromised organizations spanning both commercial and government sectors.’
The hack is being investigated by the US government in partnership with officials in Australia and Canada. It is not yet clear who is responsible.
The compromised servers frequently connect to vital services such as Outlook email and Teams, sparking fears sensitive data and passwords have been obtained.
Microsoft said the hackers struck after it fixed a similar breach earlier this month by using a similar vulnerability.
‘Microsoft is aware of active attacks targeting on-premises SharePoint Server customers exploiting a variant of CVE-2025-49706 which was addressed in July’s Update Tuesday,’ an alert to users on Saturday read.
‘This vulnerability has been assigned CVE-2025-53770. This vulnerability applies to on-premises SharePoint Servers only. SharePoint Online in Microsoft 365 is not impacted.
‘A patch has been made available to mitigate CVE-2025-53770 in SharePoint Subscription Edition which customers should apply immediately.’
The cyber attack is currently not affecting servers housed on the cloud, such as Microsoft 365 and only impacts those housed within an organization
Eye Security, a Netherlands-based company, told the Washington Post that the hackers may have gained access to keys which will allow them to hack again even after a fix, known as a patch, is issued.
‘Pushing out a patch on Monday or Tuesday doesn’t help anybody who’s been compromised in the past 72 hours,’ one researcher told the Washington Post.
thE Cybersecurity and Infrastructure Security Agency said it is working with Microsoft. ‘CISA was made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action,’ acting executive assistant director for cybersecurity Chris Butera said.
‘Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations. CISA encourages all organizations with on-premise Microsoft Sharepoint servers to take immediate recommended action.’
The incident is the latest security breach for Microsoft, which was admonished for lapses in 2023 which allowed a Chinese hack of government emails, including those of former Commerce Secretary Gina Raimond.
Last year a cyberattack on SharePoint data also led to millions of Americans’ personal information being stolen by hackers who targeted a heath company.
A total of 4.3m users’ names, addresses, health history and social security numbers to dangerous actors were obtained after the attack on HealthEquity.
Daily Mail has contacted Microsoft for comment.
This is a breaking news story, check back for updates.
