Microsoft Corp. has determined that China-linked hacking groups are targeting deployments of its SharePoint file sharing platform.

The company detailed its findings in a blog post published today.

The hackers are exploiting two SharePoint vulnerabilities that researchers disclosed in last week. The first flaw, CVE-2025-49706, makes it possible to bypass the platform’s authentication mechanism by impersonating a legitimate user. The other vulnerability, which is tracked as CVE-2025-49704, allows hackers to remotely install malicious code.

The flaws only affect on-premises SharePoint environments. Microsoft released a patch earlier this month, but hackers soon found workarounds that allowed them to bypass the fix. The company released a second path on Monday to address the issue.

In today’s blog post, Microsoft detailed that three hacking groups linked to China are using the vulnerabilities to launch cyberattacks. The groups are tracked as Linen Typhoon, Violet Typhoon and Storm-2603.

Linen Typhoon has been active since 2012. It focuses primarily on stealing intellectual property from organizations in sensitive industries such as the defense sector. Violet Typhoon carries out espionage campaigns against current and former government officials, while Storm-2603 specializes in ransomware campaigns.

“Investigations into other actors also using these exploits are still ongoing,” Microsoft’s researchers wrote. “With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems.”

The company has determined that the China-linked hackers are using a multistep workflow to exploit the vulnerabilities. First, they install a malicious script that allows them to remotely access a SharePoint environment. The script then downloads additional malware that obfuscates the breach and steals data.

According to Microsoft, the data accessed by the malware includes cryptographic keys that SharePoint uses to verify user requests. Using those keys, hackers can regain access to a compromised SharePoint environment after it’s patched. As a result, the company is advising affected customers to refresh their keys after patching their deployments.

It’s believed that the hackers have compromised dozens of organizations in the telecommunications, software and public sectors. On Monday, the Washington Post reported that at least two U.S. federal agencies were breached. The same day, the U.S. Cybersecurity and Infrastructure Security Agency released guidelines on how organizations should respond to the hacking campaign. 

“The latest CISA alert underscores a harsh reality: Attackers increasingly exploit legitimate identities and permissions, not just technical vulnerabilities,” said Mike Towers, chief trust and security officer of cybersecurity company Veza Inc. “The real risk isn’t just the initial access — it’s the invisible sprawl of privileges within platforms like SharePoint.”

Photo: Pixabay