Critical SharePoint Zero-Day Vulnerabilities Exploited in Global Attacks
In July 2025, Microsoft SharePoint was targeted by widespread exploitation of two newly discovered zero-day vulnerabilities. These flaws, rated as critical, enabled unauthenticated remote code execution and administrative compromises across a wide range of organizations. Attack campaigns began as early as July 7, affecting banks, universities, hospitals, government entities, and telecoms in North America and Europe. Cybersecurity agencies and Microsoft have issued urgent warnings, emphasizing the need for immediate patching to prevent backdoor access to business-critical data and systems.
Technical Overview
The two vulnerabilities in SharePoint Server received CVSS scores of 9.8 and 7.1 respectively, underscoring the elevated risk they pose. Exploitation allowed attackers to execute arbitrary code remotely without authentication, bypassing standard defenses. According to threat intelligence, attack chains were carefully constructed to evade SharePoint’s native security mechanisms, making detection more difficult before initial compromise. Affected systems were primarily on-premises SharePoint deployments, but there were concerns about spillover effects in integrated cloud environments.
Attack Details and Attribution
Security researchers noted three primary IP addresses coordinating these exploits, one of which had previously participated in known weaponization campaigns targeting Ivanti Endpoint Manager Mobile earlier in the year. The earliest confirmed successful breaches occurred on July 7, with activity surging by mid-July targeting Western governmental and corporate entities. The attacks involved sophisticated code designed to harvest authentication keys, potentially opening the door to lateral movement throughout enterprise networks.
Mitigation and Defensive Actions
Microsoft responded by releasing emergency security patches through its Patch Tuesday updates. Security advisories stressed the urgency of immediate deployment for all affected systems. Organizations were advised to audit for signs of compromise, update their SharePoint installations without delay, and review access privileges for anomalous activity. Critical data access via integrated Microsoft 365 applications also warranted scrutiny, as lateral movement from SharePoint could expose Office files, Teams conversations, and OneDrive assets.
Broader Threat Landscape
The campaign underscores the continued trend of attackers prioritizing highly privileged enterprise platforms using advanced persistent threat techniques and exploiting intricate enterprise software flaws. The impact across verticals, including banking, healthcare, education, and public agencies, signals the strategic value adversaries place on gaining footholds in business collaboration infrastructure. Cybersecurity agencies continue to monitor for emerging variants and encourage collaboration between IT teams and incident response units.
SafePay Ransomware Attack Forces Major Ingram Micro Outage
In early July 2025, Ingram Micro, a prominent global distributor of information technology products, suffered a significant ransomware attack attributed to the SafePay group. The breach, discovered just before the July 4th holiday, disabled critical business operations and forced a widespread shutdown of VPN access and digital platforms. The attack is notable for affecting internal systems, halting online order processing, and prompting an extensive reset of credentials across the company’s international workforce.
Incident Discovery and Response
The intrusion was detected when ransom notes appeared on employee workstations, with subsequent forensic analysis revealing the likely vector as compromised credentials used to access the company’s GlobalProtect VPN. In response, Ingram Micro rapidly disabled VPN connectivity, initiated a shift to remote work protocols, and began assessing the extent of the breach. The incident led to the shutdown of Xvantage and Impulse, two essential service and logistics platforms, while some Microsoft 365-based collaboration tools remained operational.
Ransomware Actor and Tactics
The SafePay ransomware group, active since late 2024, was identified as the most probable perpetrator based on digital forensics and ransom note analysis. This collective had already claimed more than 200 victims globally by mid-2025, with May seeing the highest surge in attacks. SafePay is known for aggressive data encryption and attempted data exfiltration to increase leverage in negotiations, though it remains unclear if any sensitive customer or business data was stolen in this incident.
Recovery and Business Continuity
By July 8, Ingram Micro restored limited order processing capabilities through manual channels such as phone and email, while digital order systems underwent phased remediation. Network-wide password resets and multi-factor authentication updates were mandated. Cybersecurity consultants were engaged to facilitate recovery, forensics, and ongoing threat hunting. The company continues to gradually restore VPN connectivity and evaluate further steps to enhance cyber resiliency after this unprecedented outage.
State-Sponsored Breach Targets US National Guard Amid Surge in Advanced Threat Techniques
In July 2025, the US National Guard was the victim of a state-sponsored cyber intrusion attributed to a China-based threat group. This event forms part of a larger trend observed throughout the month, in which cyber adversaries wield increasingly creative tactics, including typo squatted GitHub repositories, weaponized CAPTCHAs, and adversarial AI malware delivery methods. The breach heightened exposure of sensitive defense data and placed a spotlight on persistent vulnerabilities in critical public sector infrastructure.
Breach Mechanics and Targeting
The attackers leveraged supply chain weaknesses and advanced evasion techniques, using typo squatted code repositories to trick developers into downloading poisoned dependencies. Additionally, weaponized CAPTCHAs were employed to circumvent traditional perimeter security measures, allowing command-and-control payloads to be delivered while avoiding detection by automated defenses. The direct targeting of the US National Guard signals a focused interest in military and governmental strategic operations.
Artificial Intelligence in Malware Delivery
July also saw notable increases in AI-assisted attack frameworks. Threat actors deployed generative AI models to autonomously mutate malicious payloads and craft bespoke phishing lures, successfully subverting even trained end users. This rapid evolution challenges the ability of cybersecurity teams to keep pace, as attackers continuously refine their techniques and propagate new malware variants at scale.
Sectoral Impact and Industry Response
The compromise of defense and telecom assets has prompted emergency briefings for US public sector IT leadership. Security researchers reported a corresponding spike in distributed denial-of-service (DDoS) and remote access trojan (RAT) campaigns, targeting not only national defense but also private sector networks and infrastructure providers. The situation has exposed a critical gap in workforce capabilities, spurring discussion on upskilling and cross-sector cooperation to counteract a rapidly morphing threat environment.
