400 organizations hit in Microsoft SharePoint attack

A cyber-espionage campaign flagged by Eye Security is exploiting an incomplete patch in Microsoft’s SharePoint software, allowing attackers to breach vulnerable servers, with evidence of widespread, ongoing intrusions based on digital traces

A large-scale cyber-espionage operation targeting unpatched versions of Microsoft SharePoint Server has compromised approximately 400 organizations worldwide, according to new findings from Netherlands-based cybersecurity firm Eye Security.

The campaign, initially flagged by Eye Security, exploits a security loophole in Microsoft's SharePoint software. Although Microsoft had issued a patch, researchers say the fix was incomplete, leaving many systems exposed. Attackers have been able to infiltrate vulnerable servers using this flaw, with signs pointing to sustained exploitation over recent months.

Vaisha Bernard, Chief Hacker at Eye Security, confirmed the tally is based on traces left behind on compromised servers. “The real number of victims is likely higher, as many attack methods leave no detectable evidence,” Bernard stated. Over the weekend, the victim count stood at around 100 organizations, but ongoing scans have quadrupled that estimate.

While the identities of the affected entities remain undisclosed, the scale of the breach has raised alarms across industry and government sectors. Tech giants Microsoft and Alphabet (Google’s parent company) have attributed the activity to China-linked threat actors—a claim that Beijing has strongly denied.

The full extent of the damage remains unclear, and investigations are ongoing. Cybersecurity experts warn that organizations using outdated SharePoint installations should act urgently to secure their systems.