At NR Labs, our team of cybersecurity specialists conducts rigorous penetration testing (pentesting) and threat analysis for organizations worldwide. We've observed and mitigated numerous exploits in Microsoft environments, and the recent global attack on SharePoint servers underscores a persistent risk we've encountered repeatedly. Hackers have exploited a severe flaw in on-premises Microsoft SharePoint software, compromising government agencies, businesses, universities, energy companies, and an Asian telecommunications firm. This advisory draws from our frontline experiences to highlight the attack details, its implications, and enhanced recommendations—particularly emphasizing hostname-based scanning to avoid common oversights behind load balancers or reverse proxies.
This zero-day vulnerability—unknown until exploited—has affected tens of thousands of SharePoint servers used for document management and collaboration. Unlike cloud services such as Microsoft 365, on-premises installations are vulnerable if exposed. Attackers have breached systems globally, accessing sensitive data, Outlook email integrations, Teams, and cryptographic keys that enable persistent access even after patching.
Our analysis aligns with reports from industry peers: breaches span U.S. federal and state agencies, European governments, a Brazilian university, a Spanish agency, and a local office in Albuquerque. In one case, attackers seized a public document repository in an eastern U.S. state, potentially deleting files and locking out access. While "wiper" tactics are uncommon here, most incidents involve data theft and key exfiltration, as noted by firms like Eye Security.
Security providers such as CrowdStrike and Palo Alto Networks' Unit 42 report thousands of exploitation attempts, with confirmed compromises in dozens of organizations. "Any hosted SharePoint server is at risk—it's a major vulnerability," states Adam Meyers of CrowdStrike. The FBI is coordinating with partners in Canada and Australia, while CISA, alerted Friday, works with Microsoft despite resource constraints from 65% cuts to threat-intelligence teams.
Microsoft's response includes an initial recommendation to isolate servers, followed by a partial patch release Sunday evening for one version; two others remain unpatched. This incident echoes Microsoft's prior issues, including the 2023 Chinese email hack and cloud service flaws. Here is Microsoft's July 20, 2025 statement.
In our pentesting engagements, we've frequently uncovered vulnerabilities like the 2019 SharePoint flaw (CVE-2019-0604) that were missed due to IP-only scans. Teams often stall at load balancers or reverse proxies, assuming protection, but targeting the SharePoint server's hostname reveals the true exposure. This current zero-day, involving deserialization in workflow components, follows a similar pattern: crafted requests can lead to code execution, privilege escalation, and network-wide compromise.
Real-world grit from our labs: During a previous enterprise pentest, IP-based scans showed no issues, but hostname probing (e.g., intranet.domain.com) exposed an unpatched 2019 vuln, enabling simulated domain takeover. We've seen this in multiple assessments—organizations overlook it, turning a fixable gap into a breach vector. With stolen keys, patches alone won't evict intruders, as one anonymous researcher highlighted: "A Monday patch doesn't help if compromised over the weekend."
Drawing from our expertise, NR Labs advises the following to detect and respond effectively:
This global incident highlights a scramble across sectors, from Arizona's statewide assessments to international responses. At NR Labs, we've mitigated similar threats in live environments, and our message is clear: Don't let proxy blind spots miss critical vulns—prioritize hostname scanning today. For tailored assessments or support, contact our team. Stay secure.
