Microsoft Corporation has initiated an investigation into whether a breach within its Microsoft Active Protections Program (MAPP) facilitated Chinese state-sponsored cybercriminals in exploiting critical SharePoint vulnerabilities. This alleged exploitation reportedly occurred before comprehensive security patches were widely implemented, according to individuals with knowledge of the situation.
This inquiry follows a series of widespread cyber espionage attacks that have infiltrated over 400 organizations globally, among them the U.S. National Nuclear Security Administration. The precise chronology of these intrusions has sparked considerable concern among cybersecurity professionals. Vietnamese researcher Dinh Ho Anh Khoa originally unveiled the SharePoint vulnerabilities in May at the Pwn2Own cybersecurity conference in Berlin, a discovery for which he was awarded $100,000.
While Microsoft released initial patches in July, MAPP partners had received prior notification of the vulnerabilities on June 24, July 3, and July 7. Significantly, Microsoft detected the initial exploit attempts on July 7, precisely coinciding with the final wave of MAPP notifications. Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative—a MAPP member company—stated, “The likeliest scenario is that someone in the MAPP program used that information to create the exploits.”
Dubbed “ToolShell” by researchers, the sophisticated attack chain permits hackers to circumvent authentication controls and execute malicious code on SharePoint servers. A particularly perilous aspect of this vulnerability is its capacity for attackers to exfiltrate cryptographic machine keys, thereby enabling them to sustain persistent access even after system patches have been applied.
Widespread Global Impact
This cyberattack campaign has impacted organizations across numerous sectors, with Microsoft linking the breaches to three Chinese hacking groups: Linen Typhoon, Violet Typhoon, and Storm-2603.
The National Nuclear Security Administration (NNSA), charged with designing and maintaining America’s nuclear weapons stockpile, was identified as a high-profile victim. Nevertheless, officials have stated that no classified information was compromised. A Department of Energy spokesperson confirmed that on Friday, July 18th, the Department of Energy, encompassing the NNSA, began experiencing effects from the exploitation of a Microsoft SharePoint zero-day vulnerability. The agency reported being “minimally impacted,” attributing this to its extensive reliance on Microsoft’s cloud services.
Eye Security, the cybersecurity firm credited with initially detecting these attacks, documented over 400 systems actively compromised across four distinct waves of exploitation. The victims encompass government agencies, educational institutions, energy companies, and private corporations, with a geographical reach extending from North America to Europe and Asia.
This incident marks not the first instance of compromise for the MAPP program. In 2012, Microsoft terminated the participation of Chinese firm Hangzhou DPtech Technologies Co. due to its violation of a non-disclosure agreement, specifically for leaking proof-of-concept code related to a Windows vulnerability. More recently, Qihoo 360 Technology Co. was similarly removed from the program after its designation on the U.S. Entity List.
According to Bloomberg, at least a dozen Chinese companies currently participate in the 17-year-old MAPP program. This initiative furnishes cybersecurity vendors with advance notice of vulnerabilities, typically 24 hours prior to public disclosure, though some trusted partners receive information up to five days earlier.
A Microsoft spokesperson affirmed that the company would “review this incident, find areas to improve, and apply those improvements broadly” as part of its standard operational process. The spokesperson further underscored that partner programs continue to represent “an important part of the company’s security response.”
The Chinese Embassy in Washington has denied any involvement in the attacks. Foreign Ministry spokesman Guo Jiakun asserted that “China opposes and fights hacking activities in accordance with the law,” while simultaneously condemning “smears and attacks against China under the excuse of cybersecurity issues.”
The ongoing investigation underscores the precarious balance Microsoft must maintain: sharing critical vulnerability information with security partners while simultaneously preventing malicious actors from leveraging such advanced knowledge to expedite attacks. A confirmed leak would undoubtedly inflict a substantial blow to the MAPP program’s credibility and overall effectiveness.
As the probe continues, cybersecurity experts caution that the rapid weaponization of these vulnerabilities—progressing from discovery to mass exploitation in just over two months—serves as a stark demonstration of the evolving sophistication and accelerated pace of modern cyber threats.