Microsoft Probes MAPP Leak After Chinese Hackers Exploit SharePoint Flaws

 Microsoft said today it is investigating whether a leak from its Active Protections Program (MAPP) let Chinese-linked hackers exploit critical SharePoint vulnerabilities before public patches rolled out.

Security researchers first demonstrated the key flaw at Trend Micro’s Pwn2Own conference in Berlin in May, when Viettel’s Dinh Ho Anh Khoa earned a $100,000 prize for responsibly disclosing the issue. Microsoft issued an initial patch in early July, but attackers began probing on-premises SharePoint servers as soon as July 7, just hours after select MAPP partners received vulnerability details.

In a blog post, Microsoft attributed the widespread hacks to two China-linked groups, “Linen Typhoon” and “Violet Typhoon,” plus a third actor tracked as Storm-2603. These teams used a spoofing and remote code-execution chain, which was dubbed “ToolShell,” to upload malicious ASP.NET web shells and extract machine-key data from on-prem SharePoint servers.

Other recent Microsoft news –

• Microsoft and Adobe Power Up Fantasy Premier League Fans with AI – Here’s How
• Microsoft’s record stock run collides with Nadella’s admission that 15,000 layoffs still ‘hurt’

Microsoft now suspects someone in its early alert network misused confidential vulnerability data. The company said it will review MAPP controls, tighten partner vetting, and improve NDA enforcement to prevent future leaks. A spokesperson stressed that Microsoft “continually evaluates the security of all partner programs and applies improvements as needed”.

Most affected organizations run on-prem SharePoint Server editions (Subscription, 2019, 2016), which do not auto-update like SharePoint Online. Microsoft has urged admins to apply its emergency July 18 update, rotate ASP.NET machine keys, restart IIS, and hunt for indicators of compromise.

The incident echoes a 2012 breach tied to a MAPP partner in Hangzhou, which led Microsoft to expel that firm for NDA violations. Now, amid rising state-sponsored cyber espionage, Microsoft faces pressure to shore up early-warning programs without undermining collaboration with trusted defenders. While Beijing denies involvement in hacking, Microsoft and Google both link the first wave of attacks to China-based actors.

Ultimately, Microsoft aims to balance rapid patch distribution with secure information sharing to ensure that advanced alerts empower defenders rather than tip off attackers. As enterprises rush to audit on-prem SharePoint deployments, the firm’s findings may reshape how early warning networks handle zero-day disclosures.

You may also be interested to read –

• Google Quietly Tests Opal, a “Vibe-Coding” App That Turns Text into Mini Web Apps
• MSPU Tips: How to Use Bing Homepage Daily Quiz
• How to Connect to Hilton WiFi (Step-by-Step)