A fresh wave of cyberattacks has emerged, with Microsoft sounding the alarm over a new threat aimed at SharePoint servers. A sophisticated Chinese threat group, identified as Storm-2603, is actively exploiting recently patched vulnerabilities in SharePoint systems, triggering a global surge in ransomware incidents.
The attacks are part of a broader campaign that has compromised hundreds of systems. Microsoft has discovered more than 420 SharePoint servers exposed to the internet, many of which remain unprotected despite the release of patches for a critical exploit chain known as ToolShell. According to Shadowserver, the majority of these systems are still vulnerable.
Once attackers gain access, they waste no time. Using powerful post-exploitation tools like Mimikatz, they extract user credentials directly from memory. The attackers then spread laterally through the network using tools like PsExec and Impacket, often modifying Group Policy settings to maintain control. Ransomware such as Warlock and Lockbit is deployed swiftly, often within a few steps of initial entry.
Security firm Eye Security reports that at least 400 servers have already been infected, with 148 organizations confirmed as victims. These include high-profile targets such as federal agencies, the U.S. National Nuclear Security Administration, the Department of Education, and state and national bodies across Europe and the Middle East.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urgently flagged a key vulnerability tied to the campaign (CVE-2025-53770) and instructed all federal agencies to patch affected systems within 24 hours. Security researchers warn that some systems may have been quietly compromised for weeks. Although Microsoft hasn’t provided figures on data theft, the speed and scale of the operation suggest attackers acted quickly once the vulnerabilities became known.
The attack chain is straightforward but highly effective: scan the internet for unpatched SharePoint servers, exploit known flaws, steal credentials, install backdoor tools, and deploy ransomware via scripted commands. Microsoft has advised all organizations using on-premises SharePoint to apply the latest security updates immediately and follow enhanced hardening steps available on its security blog.