Microsoft Links SharePoint Exploits to China-Based Cyber Threat Groups

TL;DR

Microsoft identified China-linked cyber threat groups Linen Typhoon, Violet Typhoon, and Storm-2603 exploiting SharePoint vulnerabilities. The tech giant warns of continued attacks on unpatched systems and urges immediate mitigation.

Microsoft Links SharePoint Exploits to China-Based Cyber Threat Groups

Microsoft has confirmed that China-linked cyber threat groups, including Linen Typhoon, Violet Typhoon, and Storm-2603, have been exploiting SharePoint vulnerabilities since July 7, 2025. These groups are targeting internet-facing SharePoint servers to gain initial access to enterprise networks.

Key Findings

Microsoft’s report highlights that multiple China-based threat actors are actively exploiting these vulnerabilities. The tech giant has observed these groups scanning and attacking on-premises SharePoint servers by sending POST requests to the ToolPane endpoint. If successful, the attackers bypass authentication and use malicious scripts to steal sensitive cryptographic keys, such as MachineKey data.

Threat Groups Involved

• Linen Typhoon (APT27, Bronze Union, Emissary Panda): This group targets intellectual property in government and defense sectors. Active since 2012, Linen Typhoon focuses on foreign embassies to gather data on government, defense, and technology sectors.

• Violet Typhoon (APT31, BRONZE VINEWOOD, JUDGMENT PANDA): This group engages in espionage against NGOs, media, and academia. Violet Typhoon has been active since 2015 and is known for its sophisticated cyber espionage campaigns.

• Storm-2603: This group attempts to steal MachineKeys from SharePoint servers and has ties to ransomware operations. Storm-2603 exploits exposed systems to install web shells, posing a significant threat to unpatched environments.

Mitigation Steps

Microsoft provides the following mitigations for the identified vulnerabilities:

• Patch and Restart: After patching or enabling AMSI, rotate ASP.NET machine keys and restart IIS on all servers using PowerShell or Central Admin.
• Security Updates: Apply the latest security updates for supported SharePoint versions (2016, 2019, Subscription Edition) immediately.
• Enable AMSI: Enable AMSI (Antimalware Scan Interface) in Full Mode and install Defender Antivirus on all SharePoint servers.
• Limit Internet Access: If AMSI cannot be enabled, disconnect servers from the internet or limit access using VPN, proxy, or authentication gateway.
• Deploy Defender: Deploy Microsoft Defender for Endpoint to detect post-exploit activity.

Additional Insights

SentinelOne researchers identified three attack clusters with different tactics, all targeting high-value SharePoint deployments. These attacks focus on persistence and access via cryptographic key theft rather than immediate system control. While SentinelOne did not attribute the attacks to a specific threat actor, The Washington Post reported that the attacks were likely conducted by China-linked threat actors¹.

Conclusion

The ongoing exploitation of SharePoint vulnerabilities by China-linked cyber threat groups underscores the urgent need for organizations to implement robust security measures. By following Microsoft’s mitigation steps and staying vigilant, enterprises can protect their SharePoint environments from these evolving threats.

For further insights, check:

• Microsoft Security Blog
• SentinelOne Research
• The Washington Post Report

References

1. The Washington Post (2025). “China-linked threat actors targeting SharePoint servers”. The Washington Post. Retrieved 2025-07-23. ↩︎