What is the Microsoft MAPP leak and how did Chinese hackers exploit SharePoint vulnerabilities?

Table of Contents

• What Happened in the Microsoft SharePoint Breach?
• How Did the Exploit Work?
• Timeline of the Attack and Key Events
• Who Was Affected by the Attacks?
• What is the Microsoft Active Protections Program (MAPP)?
• Why This Incident Matters for Cybersecurity in 2025
• Microsoft’s Response to the Incident
• Chinese Government Response
• What Should Organizations Do Now?
• Global Security Implications
• Conclusion
• Frequently Asked Questions (FAQs)

Microsoft has launched a critical investigation into a suspected leak from its Microsoft Active Protections Program (MAPP), which may have given Chinese threat actors early access to exploit dangerous SharePoint vulnerabilities. These exploits have since been used to compromise over 400 organizations worldwide, including top-tier U.S. federal agencies.

What Happened in the Microsoft SharePoint Breach?

In July 2025, Microsoft confirmed that attackers had exploited a SharePoint zero-day vulnerability—revealed earlier at the Pwn2Own Berlin 2025 event by Vietnamese researcher Dinh Ho Anh Khoa. While patches were distributed shortly after, the timing of initial exploitation raises concerns that confidential information may have been leaked from Microsoft’s own MAPP program.

How Did the Exploit Work?

Exploiting SharePoint Through Authentication Bypass and Key Theft

The attackers deployed a multi-stage attack chain named "ToolShell" which:

• Bypassed authentication mechanisms in SharePoint.

• Executed remote code on unpatched or partially patched servers.

• Extracted machine-level cryptographic keys, enabling long-term persistent access—even after patches were applied.

The vulnerability's severity lies in its post-patch persistence, allowing attackers to survive even after systems were updated.

Timeline of the Attack and Key Events

This suspicious timeline triggered concerns that someone within MAPP may have weaponized the exploit using privileged access.

Who Was Affected by the Attacks?

According to Eye Security, the cybersecurity firm that uncovered the attacks, the breach impacted:

• Government agencies (including U.S. Department of Energy and NNSA)

• Energy infrastructure providers

• Educational institutions

• Private corporations in North America, Europe, and Asia

Attribution to Chinese APT Groups

Microsoft attributed the breaches to three Chinese nation-state actors:

• Linen Typhoon

• Violet Typhoon

• Storm-2603

These groups have a known history of cyber espionage targeting critical infrastructure and intellectual property.

What is the Microsoft Active Protections Program (MAPP)?

MAPP is a 17-year-old information-sharing initiative by Microsoft designed to give select security partners advance notice of vulnerabilities—ranging from 24 hours to 5 days before public disclosure. While the intention is defensive, it becomes dangerous if leaked to malicious actors.

Past MAPP Breaches

• 2012: Chinese firm Hangzhou DPtech Technologies leaked proof-of-concept code.

• 2020s: Qihoo 360 was removed after being listed on the U.S. Entity List.

There are currently at least a dozen Chinese companies in the MAPP program, increasing the risk of insider misuse.

Why This Incident Matters for Cybersecurity in 2025

Strategic Risk to National Security

The exploitation of a vulnerability affecting SharePoint, a platform used by countless organizations globally, including U.S. nuclear agencies, underscores the catastrophic potential of information leaks from trusted security programs.

Diminishing Trust in Vendor Early Access Programs

A confirmed leak would call into question the integrity of early-warning systems like MAPP and may limit future collaborations between vendors and researchers.

Microsoft’s Response to the Incident

Microsoft issued the following statement:

“As part of our standard process, we’ll review this incident, find areas to improve, and apply those improvements broadly. Partner programs like MAPP remain an important part of the company’s security response.”

The company has not yet confirmed the leak but is actively investigating all internal access and partner disclosures.

Chinese Government Response

The Chinese Embassy in Washington denied involvement:

“China opposes and fights hacking activities in accordance with the law and rejects smears against China under the excuse of cybersecurity issues,” said Foreign Ministry spokesman Guo Jiakun.

What Should Organizations Do Now?

Recommendations for Defense

To mitigate risks from similar SharePoint vulnerabilities:

• Immediately apply the latest security patches from Microsoft.

• Use network segmentation and strong firewall rules to isolate SharePoint services.

• Monitor for anomalous traffic, especially unauthorized key access or authentication bypass attempts.

• Deploy threat-hunting tools like Microsoft Defender for Endpoint, Sysmon, and SIEM solutions.

Global Security Implications

This incident is not just a Microsoft issue—it reveals a global cybersecurity governance challenge, where:

• Vendor-trusted partners might become insider threats.

• Exploit timelines can outpace patch adoption.

• Nation-states weaponize legitimate disclosures faster than ever before.

As threat actors increasingly weaponize disclosed vulnerabilities, governments and enterprises must reassess the balance between transparency and operational risk.

Conclusion

The Microsoft SharePoint vulnerability incident is a wake-up call for global cybersecurity infrastructure. The suspected leak from MAPP and the precision of exploitation by advanced Chinese threat groups reveal the fragile trust ecosystem between tech vendors, researchers, and nation-states. While Microsoft continues its investigation, organizations must move quickly to patch, monitor, and reduce reliance on exposed platforms. In the age of supply chain attacks and insider risks, zero-day preparedness and careful sharing protocols have never been more important.

FAQs

What is the Microsoft MAPP program?

The Microsoft Active Protections Program (MAPP) is a partnership initiative where Microsoft shares early vulnerability information with trusted security vendors to help them prepare defensive measures before public disclosure.

What vulnerabilities in SharePoint were exploited?

Attackers exploited authentication bypass flaws in Microsoft SharePoint that allowed them to steal cryptographic machine keys and execute remote code on servers.

Who discovered the SharePoint vulnerability initially?

The vulnerability was first demonstrated by Vietnamese researcher Dinh Ho Anh Khoa at the Pwn2Own 2025 cybersecurity conference in Berlin.

When did Microsoft notify MAPP partners about the flaw?

MAPP partners were alerted in waves—on June 24, July 3, and July 7. Notably, Microsoft detected exploitation starting July 7.

What is ToolShell?

ToolShell is the name of the sophisticated exploit chain that allows attackers to gain access and maintain persistence on SharePoint servers using stolen cryptographic keys.

Who are the threat actors behind the attack?

Microsoft attributed the campaign to three Chinese state-sponsored groups: Linen Typhoon, Violet Typhoon, and Storm-2603.

Was the U.S. National Nuclear Security Administration affected?

Yes, the NNSA was one of the high-profile victims, although officials stated that no classified data was compromised.

How many organizations were impacted?

More than 400 organizations across government, education, energy, and private sectors globally were affected by this campaign.

What is the risk of leaking vulnerability information?

Premature disclosure can allow malicious actors to exploit the vulnerabilities before companies have a chance to patch systems, resulting in zero-day attacks.

How did Eye Security detect the attack?

Eye Security monitored unusual SharePoint activity and reported four waves of exploitation across hundreds of systems.

Has MAPP experienced leaks before?

Yes. In 2012 and more recently in 2020, Microsoft removed Chinese firms from MAPP for leaking vulnerability data.

What’s Microsoft’s response to the leak?

Microsoft confirmed it is reviewing the incident and pledged to improve its partner program security and protocols.

What does the Chinese government say?

The Chinese Embassy denied involvement and criticized any allegations of state-sponsored hacking as politically motivated.

What is a cryptographic machine key?

It is a sensitive key used by systems to encrypt data. If stolen, attackers can impersonate services or maintain persistent access.

How can organizations protect against such exploits?

Regular patching, restricting external SharePoint access, and monitoring authentication logs can help reduce the attack surface.

Are cloud services more secure in this case?

The U.S. Department of Energy reported minimal impact due to its adoption of Microsoft’s cloud infrastructure.

What sectors were targeted in the attack?

Government, education, energy, and commercial sectors across North America, Europe, and Asia were targeted.

Could this impact Microsoft's reputation?

Yes, if the leak is confirmed, it would undermine trust in Microsoft’s MAPP and its ability to protect pre-disclosure information.

How does this exploit maintain persistence even after patching?

Because attackers stole cryptographic keys, they could maintain access even after the vulnerability was fixed, unless keys were rotated.

Is this a zero-day vulnerability?

It was a zero-day at the time of exploitation, as attackers used it before the public had access to Microsoft’s patches.

What is the purpose of the Pwn2Own conference?

It is a prestigious cybersecurity contest where researchers demonstrate new zero-day vulnerabilities to responsibly disclose them.

How much did the researcher earn for the discovery?

Dinh Ho Anh Khoa earned $100,000 for demonstrating the SharePoint vulnerability.

What is the U.S. Entity List?

It’s a trade restriction list of companies the U.S. deems a threat to national security or foreign policy.

What security firm first reported the exploit?

Eye Security was the first to identify and report the active SharePoint exploit campaign.

Could this exploit be used for espionage?

Yes, access to sensitive SharePoint servers could allow data exfiltration, lateral movement, and long-term surveillance.

Was the vulnerability publicly known before the attacks?

No. It was known only to Microsoft and MAPP partners until patches were released, which is why a leak is suspected.

Did Microsoft delay the patch release?

Microsoft issued initial patches in July, shortly after internal alerts and external signs of exploitation.

Are machine keys normally rotated?

Not always, which is why their compromise can be particularly damaging if not addressed during incident response.

How do attackers bypass SharePoint authentication?

The attackers exploited logic flaws in the authentication process that allowed them to impersonate trusted users.

How quickly was the vulnerability exploited after MAPP notifications?

Microsoft observed exploit attempts on the very day of the final notification wave—July 7, 2025.

What lessons can be learned from this incident?

Vulnerability disclosure programs need stricter controls, and organizations must patch rapidly while monitoring for early exploitation signs.