Table of Contents
- What Security Experts Want You to Know About the SharePoint Attack Wave
- Understanding What Happened – The ToolShell Attack
- Who Got Hit and How Bad Is It?
- The Dangerous Groups Behind These Attacks
- Linen Typhoon
- Violet Typhoon
- Storm-2603
- What Makes This Attack So Dangerous
- Bypasses All Protection
- Deep System Access
- Memory-Based Attacks
- Fast Spreading
- How Hackers Break In – The Attack Steps
- Immediate Actions You Must Take Now
- Critical First Steps
- Look for These Warning Signs
- File Names to Find
- Network Addresses to Block
- Advanced Protection Steps
- Protection Strategy for the Future
- Short-term Defense
- Long-term Security Planning
- Key Takeaways for System Administrators
SharePoint servers worldwide face massive danger. More than 400 companies have been hit. Hackers use special tools to break in without permission. This is not a small problem. It’s a big security crisis happening right now.
The bad news is simple. Hackers found secret ways to attack SharePoint servers. These attacks started on July 17, 2025. Within days, the problem grew huge. Now more than 400 organizations suffer from these attacks.
Understanding What Happened – The ToolShell Attack
Security experts call this attack “ToolShell”. The name comes from how hackers use these special tools to break into computers. Four main problems make these attacks work:
- CVE-2025-53770 – Lets hackers run bad code on your server
- CVE-2025-53771 – Helps hackers trick your system to think they belong there
- CVE-2025-49704 – Another way to run harmful programs
- CVE-2025-49706 – Helps hackers pretend to be someone else
These problems only affect SharePoint servers you run yourself. The online version (SharePoint 365) stays safe.
Who Got Hit and How Bad Is It?
The attack wave targeted important places. Government offices, schools, and big companies suffered damage. Some victims include:
- US Nuclear Weapons Agency
- US Education Department
- Florida Department of Revenue
- Rhode Island General Assembly
Most attacks happened in the United States and Germany. But hackers hit targets all around the world.
The Dangerous Groups Behind These Attacks
Three main groups of Chinese hackers cause these problems:
Linen Typhoon
This group steals secrets from government and defense companies since 2012. They focus on taking important information about how countries protect themselves.
Violet Typhoon
These hackers target news companies, schools, and health organizations since 2015. They want to spy on important people and steal their private information.
Storm-2603
This group causes the most worry because they use Warlock ransomware. They break into computers and lock all the files. Then they ask for money to unlock them.
What Makes This Attack So Dangerous
The ToolShell attack scares security experts for many reasons:
Bypasses All Protection
Hackers can skip past multi-factor authentication and single sign-on systems. These normally keep bad people out. But this attack goes around them completely.
Deep System Access
Once inside, hackers can reach everything connected to SharePoint. This includes email, file storage, and team chat systems. They basically get keys to your whole digital office.
Memory-Based Attacks
New versions of this attack work directly in computer memory. This makes them much harder to find and stop. Traditional security tools miss these attacks.
Fast Spreading
ESET Research found attacks coming from 19 different internet addresses. The attacks happen very quickly across many countries at the same time.
How Hackers Break In – The Attack Steps
The attack follows a clear pattern that security experts can track:
- Find Target – Hackers look for SharePoint servers connected to the internet
- Break Authentication – They send fake requests to trick the login system
- Run Bad Code – Once inside, they install their own programs
- Steal Keys – They grab secret codes that let them come back later
- Install Backdoors – They create hidden ways to return even after you fix the problem
- Deploy Ransomware – Some groups lock your files and demand money
Immediate Actions You Must Take Now
If you run SharePoint servers, do these things today:
Critical First Steps
- Take servers offline until you can update them safely
- Apply Microsoft’s emergency patches immediately
- Check for compromise using the detection methods below
- Rotate machine keys and restart your web services
Look for These Warning Signs
Security experts provide specific things to watch for:
File Names to Find
- spinstall0.aspx, spinstall1.aspx, spinstall2.aspx
- ghostfile346.aspx, ghostfile399.aspx
- debug_dev.js
Network Addresses to Block
- 131.226.2.6, 134.199.202.205
- update.updatemicfosoft.com
- 65.38.121.198
Advanced Protection Steps
- Enable Microsoft Defender with full scanning mode
- Turn on attack surface reduction rules
- Use endpoint detection tools to catch suspicious activity
- Monitor network traffic for the bad internet addresses listed above
- Check Group Policy changes that might spread ransomware
Protection Strategy for the Future
Short-term Defense
- Keep only supported SharePoint versions (2016, 2019, or Subscription Edition)
- Install security updates as soon as Microsoft releases them
- Use strong antivirus software on all SharePoint servers
- Monitor systems closely for suspicious activity
Long-term Security Planning
- Consider moving to SharePoint Online if possible (it’s not affected)
- Create isolated network segments for critical servers
- Develop incident response plans for future attacks
- Train staff to recognize security threats
This attack shows how modern cyber warfare works. State-sponsored groups and criminals work together. They share tools and techniques. When one group finds a weakness, many others use it quickly.
The ToolShell attack demonstrates that no organization is too small or too big to be targeted. Government agencies, schools, and private companies all face the same risks.
The message is clear: Update your systems now. The cost of prevention is much less than the cost of recovery after an attack.
Key Takeaways for System Administrators
- Act fast – Over 400 organizations already suffered damage
- Follow Microsoft’s guidance exactly as written
- Assume compromise if your servers were exposed to the internet recently
- Plan for recovery in case you find evidence of attack
- Stay informed about new developments in this ongoing situation
The SharePoint security crisis requires immediate attention from everyone who manages these systems. The threat is real, the attacks are happening now, and the consequences can be severe. Take action today to protect your organization from becoming the next victim in this global cyber attack campaign.