SharePoint flaw: Microsoft says hackers deploying ransomware
Fallout from the serious zero-day SharePoint vulnerability continues with Microsoft warning about ransomware attacks


Microsoft has warned that hackers are making use of the zero-day SharePoint flaw to distribute ransomware, adding an extra risk to the serious vulnerability.
The SharePoint flaw, known as "ToolShell", was spotted over the weekend, sparking an immediate patch from Microsoft — though initially only for some versions of the server software, all supported versions are now protected — amid concerns hackers were already taking advantage of the vulnerability.
According to Eye Security, the security company that first spotted the flaw, at least 400 SharePoint servers were compromised of the 23,000 scanned as of yesterday. US government agencies were among known victims, though the National Cyber Security Centre said it had so far seen limited hacks in the UK.
30% off Keeper Security's Business Starter and Business plans
Keeper Security is trusted and valued by thousands of businesses and millions of employees. Why not join them and protect your most important assets while taking advantage of this special offer?
Now, Microsoft has warned via an update to its running blog on the incident that it was seeing hackers known as Storm-2603 that are believed to be based in China use the SharePoint flaw to infect servers with ransomware.
"Expanded analysis and threat intelligence from our continued monitoring of exploitation activity by Storm-2603 leading to the deployment of Warlock ransomware," Microsoft said in the post.
Microsoft added that further attacks are expected until users are fully patched. "With the rapid adoption of these exploits, Microsoft assesses with high confidence that threat actors will continue to integrate them into their attacks against unpatched on-premises SharePoint systems," the post added.
SharePoint targeted by Chinese hackers
Microsoft admitted that as early as 7 July it had seen hackers trying to exploit the SharePoint flaws in order to target organisations.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
That included Storm-2603 as well as Chinese state actors Linen Typhoon and Violet Typhoon, the company said, noting those latter hacking groups have focused on government targets by making use of known exploits.
When it comes to Storm-2603, Microsoft said it wasn't clear if it was actually based in China, but said it appeared to focus on stealing MachineKeys using on-premise SharePoint vulnerabilities.
"Although Microsoft has observed this threat actor deploying Warlock and Lockbit ransomware in the past, Microsoft is currently unable to confidently assess the threat actor’s objectives," the company said. "Starting on July 18, 2025, Microsoft has observed Storm-2603 deploying ransomware using these vulnerabilities."
China denied any involvement in a statement reported by Reuters.
Microsoft said attacks were happening beyond these hacking groups: "Investigations into other actors also using these exploits are still ongoing."
Kevin Robertson, CTO at Acumen Cyber, said in a statement sent to ITPro that ransomware could be used by criminals targeting a ransom but also by state actors with other motives.
"This highlights that it's not just state sponsored threat actors benefiting from this dangerous vulnerability," he said. "Money-motivated attackers are also jumping on the bandwagon."
He added: "However, some state sponsored attackers will also be using ransomware. They could be conducting reconnaissance on networks and then when they have what they need, dropping ransomware to cause further chaos for victims."
Patch failure
The original "ToolShell" flaw impacting SharePoint was first spotted in May at a Trend Micro ethical hacking competition called Pwn2Own, for which a researcher at Viettel earned $100,000.
Trend Micro's Zero-Day Initiative posted on 16 May: "Dinh Ho Anh Khoa combined an auth bypass and an insecure deserialization bug to exploit Microsoft SharePoint. He earns $100,000 and 10 Master of Pwn points."
Microsoft subsequently rolled out a patch for the flaw via a July 8 security update. However, ten days later, the patch appeared to have been bypassed by hackers.
Acumen's Robertson said that Microsoft's "negligence with the initial patch left organizations completely exposed." He added that this set of flaws could haunt SharePoint users for a long time. "Let's hope Microsoft does a better job next time and upholds its responsibility to protect its expansive customer base," he added.
After the second wave of attacks suggested a patch failure, Microsoft pushed out another update. At first, it only applied to SharePoint 2019, but is now available for SharePoint 2016 as well.
Microsoft said: "Customers should apply these updates immediately to ensure they are protected." The company added that customers should address the authentication side of the attacks with Antimalware Scan Interface and Microsoft Defender Antivirus or equivalent solutions for all on-premises SharePoint instances, with full details of necessary mitigations in its blog post.
MORE FROM ITPRO
- ExpressVPN updates Windows app to fix vulnerability
- Warning issued after SharePoint flaw puts entire corporate networks at risk
- Admins beware, these Microsoft 365 features are being cut in 2025
Freelance journalist Nicole Kobie first started writing for ITPro in 2007, with bylines in New Scientist, Wired, PC Pro and many more.
Nicole the author of a book about the history of technology, The Long History of the Future.
-
Intel to axe 24,000 roles, cancels factory plans in sweeping cost-cutting move
News Despite better than expected revenue in its Q2 results, the chip giant is targeting a leaner operation
-
Average Brit hit by five data breaches since 2004
News While the number of breaches has fallen, the UK has been the worst-hit country in Northern Europe since 2004
-
NCSC says ‘limited number’ of UK firms affected by SharePoint attack as global impact spreads
News The SharePoint flaw has already had a wide impact according to reports from government security agencies
-
Microsoft’s new SharePoint vulnerability – everything you need to know
News ToolShell allows unauthorized access to on-premises SharePoint servers
-
Warning issued after SharePoint flaw puts entire corporate networks at risk
News A threat actor was able to remain undetected on a corporate network for over two weeks after exploiting a high-severity SharePoint vulnerability
-
No, Microsoft SharePoint isn’t cracking users’ passwords
News The discovery sparked concerns over potentially invasive antivirus scanning practices by Microsoft
-
Microsoft patches 129 flaws as big updates become new normal
News This month's Patch Tuesday includes 23 critical flaws, though none are being actively used by hackers
-
Bug shuts down Microsoft's SharePoint
News An update to Microsoft’s business server software goes wrong, causing it to shut down after 180 days of use.