SharePoint Zero-Day Vulnerabilities Widely Exploited in Sophisticated Global Attacks
Over the course of July 2025, multiple zero-day vulnerabilities in Microsoft SharePoint have been actively exploited by cybercriminals, targeting enterprises, governments, and academic institutions across North America and Europe. These incidents, rated as critical on the CVSS scale and observed since at least July 7, have resulted in widespread system compromises, urgent patch releases from Microsoft, and major calls to action from security agencies.
Details of the SharePoint Exploits
The two most severe vulnerabilities discovered enabled unauthenticated remote code execution and gave adversaries administrative rights over affected SharePoint Server environments. Attackers leveraged these flaws to gain persistent access, steal sensitive authentication keys, and potentially interact with the broader Microsoft 365 data ecosystem managed through SharePoint. Global sectors impacted include banking, higher education, corporate enterprises, and public agencies.
Technical Analysis and Attack Tactics
Research indicates that exploits originated from multiple IP addresses, including some previously connected to other high-profile vulnerabilities. Attackers demonstrated advanced knowledge, bypassing security controls and tailoring payloads to subvert built-in SharePoint defenses. Details reveal that, in some cases, attackers obtained cryptographic keys, facilitating further lateral movement and data exfiltration within targeted networks.
Mitigation and Response
Microsoft responded with out-of-band patches as part of their July Patch Tuesday cycle, providing remediations for the identified CVEs. CISA and other national security agencies have issued urgent advisories, strongly urging institutions to apply security updates immediately to prevent further exploitation. Security firms recommend intensive monitoring of SharePoint server logs for unusual administrative activity and suggest verifying integrity of authentication mechanisms post-patch.
Implications for Enterprises and Recommendations
The broad targeting of SharePoint, a backbone of file and workflow management in Microsoft-centric environments, signals attackers’ focused intent on compromising core business operations. Organizations are advised to audit their exposure, implement multi-layered access controls, and revisit incident response plans in light of emerging exploitation patterns targeting enterprise collaboration platforms.
Scattered Spider Cybercrime Group Linked to Major Social Engineering Attacks
Throughout July 2025, the Scattered Spider threat group has been implicated in a series of high-impact cyberattacks on major retailers, airlines, and insurance firms across the US, UK, Canada, and Australia. These incidents have highlighted an escalating use of advanced social engineering techniques, with attackers impersonating employees and contractors to subvert multi-factor authentication and internal security protocols.
Attack Campaigns and Victim Impact
Notable incidents attributed to Scattered Spider include breaches at airlines such as Quantas, resulting in exposure of personal data for up to six million customers, as well as persistent ransomware campaigns against retail giants like M&S, Co-op, and Harrods. Organizations have reported prolonged operational disruptions—with some, such as M&S, anticipating full restoration of online services only after several months of downtime.
Technical Tactics: Focus on Social Engineering
The group’s approach involves leveraging publicly available information and targeting IT help desks, where they convincingly pretend to be authorized personnel. By doing so, they circumvent established multi-factor security measures and quickly escalate their privileges. These methods underscore the ongoing vulnerability posed by human factors in organizational cybersecurity defense.
Law Enforcement Actions and Wider Trends
In July, UK authorities made the first significant arrests related to this spate of attacks, marking progress in the investigation of Scattered Spider’s sprawling operations. However, data suggests the threat landscape remains acute: a recent survey indicated a sharp year-over-year increase in cyberattacks, with 27% of UK companies reporting incidents, up 11 percentage points.
Strategic Recommendations
Experts recommend upgraded employee training, realistic social engineering simulations, and enhanced access control strategies—including dynamic authentication and device trust schemes. Vigilance against impersonation attempts and close IT helpdesk supervision remain critical for organizations facing these sophisticated criminal operations.
Iran-Linked Hackers Launch Attacks on US Transportation and Manufacturing
In July 2025, US authorities reported an upswing in targeted cyberattacks against transportation and manufacturing sectors by hacker groups associated with Iranian state interests. This increase, reportedly in response to ongoing geopolitical tensions following the Israel-Iran conflict, illustrates the growing use of cyber capabilities as instruments of statecraft and disruption.
Nature and Technical Profile of Recent Attacks
The attacks exploited both unpatched software vulnerabilities and advanced spear-phishing techniques. In several cases, adversaries sought to disrupt operations or exfiltrate industrial control data rather than deploy ransomware. The sophistication of the campaigns indicates significant resources and organizational backing, with at least some intrusions achieving lateral movement within segmented industrial networks.
Response and Mitigation Strategies
Security authorities recommended that organizations in critical infrastructure sectors prioritize vulnerability assessments and segment operational and information technology networks more rigorously. Enhanced logging, anomaly detection, and threat intelligence sharing were emphasized as crucial for early detection and containment of state-linked intrusion activity.
Ingram Micro Global Operations Restored After Ransomware Attack
Ingram Micro announced the restoration of global operations following a multiday ransomware attack attributed to the SafePay hacker group. While the company is still assessing the full impact of the compromise, this episode reflects the ongoing risk ransomware groups pose even to security-conscious technology and supply chain firms.
Incident Overview and Ransomware Details
The attackers gained access through undisclosed means, encrypting operational data and disrupting internal logistics. Early reports suggest the use of advanced ransomware payloads with novel anti-forensic capabilities, complicating post-incident investigation and restoration efforts.
Remediation Measures and Sector-Wide Lessons
Ingram Micro’s recovery efforts depended on rapid isolation of affected systems, utilization of offline backups, and close collaboration with forensic experts. The episode reinforced the need for robust ransomware response planning, continuous backup verification, and segmented network architectures to reduce ransomware exposure windows.