Microsoft has issued an urgent security alert following the discovery of ongoing cyberattacks targeting SharePoint servers used by government agencies and enterprises for internal document sharing.
The company said it is responding to “active attacks” that exploit a previously unknown vulnerability—a so-called “zero day” flaw—in on-premises versions of SharePoint, placing tens of thousands of servers at risk worldwide.
The company clarified that SharePoint Online, the cloud-based offering in Microsoft 365, is not affected by this wave of attacks. Only on-premises installations are vulnerable, making government bodies and businesses that rely on locally hosted infrastructure prime targets for the threat actors.
The company has coordinated extensively with CISA, the US Department of Defense’s Cyber Defense Command, and global cybersecurity partners to address the issue, a Microsoft spokesperson said, emphasizing the need for customers to immediately install the latest security updates.
The Federal Bureau of Investigation noted on Sunday it is aware of the campaign and is collaborating closely with both federal and private-sector partners, though it did not disclose further details as the probe continues.
According to The Washington Post, which broke the story, unidentified hackers have exploited the flaw in recent days to target agencies and organizations across the United States and abroad.
The attack method relies on a “spoofing” vulnerability, which enables an authorized threat actor to masquerade as a trusted user or system on the network—potentially manipulating sensitive government or financial operations by concealing their true identity.
Microsoft underscored that customers unable to enact the recommended malware protections should disconnect vulnerable servers from the internet until a patch is applied. The company is working on updates for affected versions, including SharePoint 2016 and 2019.
