Microsoft recently revealed that Chinese state-sponsored hackers exploited vulnerabilities in its collaboration software SharePoint to access the computer systems of hundreds of companies and government agencies including the National Nuclear Security Administration and the Department of Homeland Security. However, the company did not mention that support for SharePoint is handled by a China-based engineering team, which has been maintaining the software for years.
Previous reports stated that the cyberattack exploited a previously unknown “zero-day” vulnerability in Microsoft SharePoint on-premises servers, making thousands of businesses, government agencies, and other organizations vulnerable.
A report by cybersecurity firm Sophos stated that attackers used the same payload across all targeted servers, highlighting a coordinated effort likely managed by one actor. The hack used by these actors was called a “zero day attack” by experts because it targeted a previously unknown vulnerability. Microsoft said that a vulnerability allows an authorized attacker to perform spoofing over a network issued recommendations to stop the attackers from exploiting it.
READ: Microsoft cuts down on data centers and international spending (February 25, 2025)
Microsoft later said that Chinese hacking groups were responsible for the attack. On Monday, Charles Carmakal, technology chief of the Google-owned Mandiant cybersecurity consulting group, said in a LinkedIn post that “we assess that at least one of the actors responsible for the early exploitation is a China-nexus threat actor.”
On Sunday, the U.S. Cybersecurity and Infrastructure Security Agency said it was “aware of active exploitation” of the vulnerability, and Microsoft rolled out patches for two versions of its on-premises SharePoint releases. The software company issued a fix for a third version on Monday.
A ProPublica report revealed Microsoft’s use of a Chinese team for maintaining SharePoint after it viewed screenshots of Microsoft’s internal work-tracking system that showed China-based employees recently fixing bugs for SharePoint “OnPrem,” the version of the software involved in last month’s attacks. The term, short for “on premises,” refers to software installed and run on customers’ own computers and servers.
Microsoft said the China-based team “is supervised by a U.S.-based engineer and subject to all security requirements and manager code review. Work is already underway to shift this work to another location.”
While it is unclear if Microsoft’s team in China had a role in the hacks, experts have said allowing China-based personnel to perform technical support and maintenance on U.S. government systems can pose major security risks. Chinese law gives the country’s officials broad authority to collect data, and experts say it is difficult for any Chinese citizen or company to meaningfully resist a direct request from security forces or law enforcement. China has been labelled the “most active and persistent cyber threat to U.S. Government, private-sector, and critical infrastructure networks,” by the Office of the Director of National Intelligence.
READ: Microsoft confirms SharePoint server hack likely a single actor; thousands of firms at risk (July 21, 2025)
The U.S. Cybersecurity and Infrastructure Security Agency confirmed that SharePoint vulnerabilities enable hackers to “fully access SharePoint content” and execute malicious code.
This revelation follows previous ProPublica reports that Microsoft relied on foreign workers, including those based in China, to maintain the Defense Department’s cloud systems.
In response, Defense Secretary Pete Hegseth launched a review of tech companies’ use of engineers based overseas while senators across party-lines demanded further information about Microsoft’s practices. Microsoft responded to the report saying it had halted its use of China-based engineers to support Defense Department cloud computing systems, and that it was considering the same change for other government cloud customers.