Last month, numerous significant cyberattacks were aimed at Microsoft’s SharePoint, a popular web-based platform utilized by countless professionals for collaboration.
In response to these cyber-attacks that affected various US entities such as federal and state agencies, universities, energy firms, and even the National Nuclear Security Administration, Microsoft felt compelled to release urgent updates (patches) to address and resolve the associated problems.
After delving into the origins of the two unidentified security loopholes, Microsoft disclosed on August 20 that they had restricted access to their Microsoft Active Protection Program (MAPP) for certain Chinese entities, as reported by Bloomberg.
The MAPP initiative, managed by Microsoft’s Security Response Center (MSRC), distributes early information about potential security vulnerabilities to Microsoft’s collaborators. This enables these partners to implement appropriate safeguards using security updates.
Last month, the restrictions on MAPP subtly came into force. As reported by David Cuddy, a Microsoft representative speaking with Bloomberg, these restrictions mean that MAPP will be limited in countries where they are obligated to disclose vulnerabilities to their respective governments. This encompasses China, among others.
Ever since the SharePoint assaults that started from June 24, 2025, Microsoft has accused Beijing to some extent for these incidents.
On July 22nd, Microsoft’s Threat Intelligence team released a report disclosing the security flaws CVE-2025-53770 and CVE-2025-53771. It was found that two suspected Chinese state-affiliated groups, Linen Typhoon and Violet Typhoon, had been leveraging these vulnerabilities in SharePoint servers.
Another China-linked threat group, identified by Microsoft as Storm-2603, has been using the same security loopholes to install ransomware. However, Beijing has consistently refuted any involvement in the alleged SharePoint exploits.
Microsoft’s Active Protections Program is tightening its borders
Although Beijing publicly denied any involvement in the hacking of SharePoint, the rapid exploitation of vulnerabilities in unpatched systems led Microsoft to investigate possible leaks or rogue members within their Microsoft Advanced Threat Protection (MAPP) system.
It appears that there will be some alterations, and they will be substantial, regarding how MAPP is run moving forward. As stated by a Microsoft representative, the firm will cease providing “proof of concept code” to specific MAPP members impacted by this shift, such as those based in China.
In simpler terms, a proof-of-concept code is created to emulate or illustrate how harmful software functions. Primarily used for enhancing security, it can unfortunately be exploited by cybercriminals to gain an advantage before proper security updates are implemented. For instance, Microsoft’s approach combines this process with early investigations into the SharePoint attacks.
Instead of providing the actual code demonstrating concepts to Chinese organizations part of MAPP, Microsoft will now offer a broader, descriptive write-up detailing the vulnerabilities simultaneously with the distribution of security patches for those specific issues.
To ensure that our platform isn’t misused, we implement precautions, some of which are confidential. We consistently monitor users, and those who breach their agreement with us – including rules against engaging in harmful activities – may face suspension or removal from the platform.
David Cuddy, Microsoft spokesperson
According to a Bloomberg report, a representative from the Chinese embassy in Washington stated they were unaware of the specifics in the security report. The representative emphasized that China firmly opposes and combats hacking activities as per the law. Furthermore, the representative also expressed opposition towards negative portrayals and attacks against China, which are often disguised under the pretext of cybersecurity concerns.
On previous occasions, MAPP (Media Alliance for Protocol Protection) has faced criticism over data leakages concerning China, particularly the revelation in 2012 that Microsoft attributed a Non-Disclosure Agreement (NDA) violation by Hangzhou DPTech Technologies to the exposure of a significant Windows exploit.
In 2021, it was alleged that a cyber-attack on Microsoft Exchange servers was potentially linked to breaches from participants of MAPP (Microsoft Active Protections Program). Notably, Microsoft identified and zeroed in on at least two Chinese firms, suspecting them of leveraging the discovered vulnerabilities.
In a statement to Bloomberg, China’s Ministry of Foreign Affairs firmly stated that they staunchly reject any form of cyber attacks or intrusions. This has been their consistent position from the outset. Chinese laws governing data collection and management are explicitly designed to protect data security and actively condemn cyber-attacks and other illicit activities in this domain.
Over a prolonged period, these leaks eventually allowed a hacker group believed to be supported by the Chinese government, known as Hafnium, to cause significant damage to the security systems of Windows.
The situation prompted Microsoft to contemplate modifications in their MAPP program, specifically regarding the amount of crucial data they shared with partners in specific regions. Looking back, it appears these adjustments could have been implemented earlier.
Details of the recent SharePoint “ToolShell” attack
The latest updates to MAPP were prompted by a SharePoint assault, which utilized two unforeseen weaknesses (referred to as “zero-days”). These “zero-days” signify flaws in the system that haven’t been identified before they were exploited.
Although the assault didn’t jeopardize cloud servers, it impacted approximately 40,000 on-site servers instead.
As an observer, I’ve noticed that two specific vulnerabilities, referred to as CVE-2025-53770 and CVE-2025-53771, have been maliciously exploited in the past. These incidents, given the moniker “ToolShell,” were unfortunately used by unscrupulous individuals for their nefarious purposes. For a while, these vulnerabilities were actively being taken advantage of.
In reference to the mentioned attacks, Lotem Finkelstein, the Threat Intelligence Director at Check Point Research, asserted his views.
There’s an immediate and ongoing risk: a serious, unpatched vulnerability in on-premises SharePoint is being exploited by hackers worldwide, potentially endangering thousands of organizations globally. Our team has detected numerous attempts to infiltrate systems across various sectors, including government, telecommunications, and technology, since July 7. We strongly advise enterprises to upgrade their security systems as soon as possible – this attack is sophisticated and rapidly evolving.
Read More
- Minecraft lets you get the Lava Chicken song in-game — but it’s absurdly rare
- Gold Rate Forecast
- PS5’s ChinaJoy Booth Needs to Be Seen to Be Believed
- Lewis Capaldi Details “Mental Episode” That Led to Him “Convulsing”
- Wrestler Marcus “Buff” Bagwell Undergoes Leg Amputation
- Cyberpunk 2077’s Patch 2.3 is Here and It’s Another Excellent Overhaul
- Yungblud Vows to Perform Ozzy Osbourne Song “Every Night”
- Elden Ring Nightreign’s Patch 1.02 update next week is adding a feature we’ve all been waiting for since launch — and another I’ve been begging for, too
- Microsoft is on track to become the second $4 trillion company by market cap, following NVIDIA — and mass layoffs
- Rob Schneider’s Happy Gilmore 2 Role Is Much Different Than We Thought It’d Be
2025-08-21 23:10