Microsoft scales back Chinese firms’ access to cybersecurity program after SharePoint attacks

Microsoft stressed that it closely monitors MAPP participants, enforcing strict compliance by reviewing, suspending, or removing members found violating contracts, which explicitly forbid involvement in offensive cyber operations, to safeguard its cybersecurity vulnerability-sharing program

Microsoft has scaled back certain Chinese companies’ participation in its cybersecurity early-warning program, amid growing concerns that sensitive information may have been misused in recent hacking attempts targeting its widely deployed SharePoint servers.

The move follows a wave of cyberattacks reported last month against SharePoint, which Microsoft and several security researchers have linked to state-backed actors in China. Although Beijing has denied any involvement, the incidents raised alarm within the cybersecurity community about the possible misuse of data shared through the Microsoft Active Protections Program (MAPP).

Restrictions follow SharePoint attacks

MAPP is designed to give trusted global security partners early insights into software vulnerabilities, allowing them to strengthen customer defenses before public disclosures are made. However, speculation intensified when it was revealed that Microsoft informed program members of SharePoint flaws on June 24, July 3, and July 7 — with exploitation attempts first detected on the very same day as the final notification. Experts suggested that an insider within the program may have leaked or misused the information, fueling the surge in attacks.

In response, Microsoft confirmed it had restricted several Chinese firms from receiving “proof-of-concept code” — technical samples that mimic the behavior of real-world malicious software. While such code is intended to help defenders test and secure systems quickly, it can also be weaponized by attackers to accelerate exploitation efforts.

Stricter oversight of security partners

The company emphasized that it actively monitors participants in MAPP and enforces strict compliance measures. “We continuously review participants and suspend or remove them if we find violations of their contract, which explicitly prohibits involvement in offensive cyber operations,” Microsoft said in a statement.

Microsoft declined to identify the firms affected or disclose details of its ongoing investigation. The decision highlights the growing tension between global collaboration in cybersecurity and the risks of insider misuse, particularly in regions where cyberattacks are frequently attributed to state-linked groups.

The restrictions mark one of the most visible steps taken by Microsoft to safeguard its vulnerability-sharing network, underscoring the delicate balance between enabling rapid defensive action and preventing potential exploitation.