Wave of Microsoft SharePoint Zero-Day Exploits Leads to Widespread Attacks
In July 2025, a critical mass of cyberattacks exploited previously unknown vulnerabilities in Microsoft SharePoint, resulting in the compromise of hundreds of organizations worldwide. These attacks revealed both the scale of reliance on SharePoint within enterprise and government environments and the evolving capabilities of state-backed and financially motivated threat actors. Affected institutions ranged from government agencies and banks to universities and healthcare providers, with attackers leveraging remote code execution (RCE) flaws for system infiltration and persistent access.
Two Major Zero-Day Vulnerabilities Identified
Microsoft disclosed two zero-day vulnerabilities (CVSS scores 9.8 and 7.1) in on-premises SharePoint servers. The first flaw enabled unauthenticated attackers to achieve remote code execution, bypassing authentication entirely and allowing them to run arbitrary code and deploy malicious payloads. The second vulnerability, rated slightly less severe, could be chained for privilege escalation, granting administrative-level access.
ToolShell Campaign and Advanced Threat Actor Involvement
Security researchers identified that these flaws were exploited as part of what has been dubbed the “ToolShell” campaign. At least 400 organizations, including the US National Nuclear Security Administration and multiple state and local agencies, were affected by mid-July. Forensic analysis linked the campaign to three China-based state-sponsored groups—Linen Typhoon, Violet Typhoon, and Storm-2603—one of which also reportedly dropped Warlock ransomware in selected intrusions.
Bypassing Early Patches and Rapid Attack Adoption
Attackers exploited initial vulnerabilities demonstrated at the Pwn2Own contest in May 2025. Microsoft released a first wave of patches by July 8; however, threat actors rapidly developed workarounds to circumvent these fixes. This underscores the attackers’ access to sophisticated tooling and the limitations of conventional patch management when facing adversaries with advanced capabilities.
Scope of Impact and Response Measures
The attackers targeted both public and private organizations, with notable compromises at banks, corporate enterprises, hospitals, and energy sector entities. The US Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft issued urgent guidance for system patching, emergency machine key rotation, and immediate disconnection of end-of-life SharePoint instances from the internet. Security experts highlighted that tens of thousands of servers could still be vulnerable.
Technical Attack Chain and Persistence
The SharePoint exploitation chain typically began with remote, unauthenticated access leveraging the zero-day flaw. Attackers deployed toolkits such as web shells or reverse proxies for persistent command and control, moving laterally within compromised environments and harvesting sensitive data stored in integrated Microsoft 365 applications.
Ongoing Threat Landscape
Microsoft threat intelligence units assessed with high confidence that the success and speed of the initial campaigns will motivate further adoption of these exploits by both nation-state and criminal hacking groups until all vulnerable systems are patched or removed from service. The campaign highlights the accelerating risk posed by sophisticated attackers, supply chain dependencies, and lagging patch cycles within legacy infrastructure.
Ingram Micro Hit by SafePay Ransomware, Impacting Global Operations
On July 4, 2025, major IT distribution corporation Ingram Micro experienced a disruptive ransomware attack, resulting in outages that hampered its online ordering capabilities for nearly a week. The incident drew industry attention due not only to the size and complexity of the victim but also the threat actor’s unusual operational tactics, complicating standard response playbooks. The attack raises questions about the resilience of supply chain infrastructure in the face of increasingly tailored ransomware operations.
Incident Timeline and Service Disruptions
The attack was initially revealed after customers experienced outages and delays in ordering and fulfillment systems. Ingram Micro rapidly isolated and shut down key systems in response, taking a significant portion of its IT infrastructure offline as a precaution. The outage persisted for several days, with the company publicly confirming the cyberattack and promising restoration efforts. By July 10, Ingram Micro reported full recovery of global operations, but the incident underscored the extensive operational risk posed by attacks on backbone IT providers.
SafePay Ransomware Group’s Novel Strategy
The hacking group safePay, attributed as the perpetrator, operates outside the typical ransomware-as-a-service (RaaS) model. Rather than relying on affiliates, SafePay executes its own attacks directly, minimizing risks associated with affiliate betrayals and operational leaks. This approach allows for faster operational tempo and a more tightly controlled, adaptive strategy, disadvantaging defenders who depend on threat model consistency. SafePay’s approach and tooling are regarded as sophisticated, with some elements of the attack specifically tailored for Ingram Micro’s technology stack.
Technical Penetration and Recovery Actions
While technical details remain guarded, SafePay reportedly gained access to privileged accounts, encrypting system-critical files and demanding ransom. Incident response teams deployed a combination of backup restores, system reimaging, and out-of-band communications to remediate and maintain limited business continuity. Extensive forensic analysis followed to ensure root cause eradication, with industry observers noting that immediate system disconnection played a critical role in containing the attack.
Implications for IT Distribution and Broader Supply Chains
The attack on Ingram Micro highlights the systemic risk posed by ransomware to the global technology supply chain, endangering procurement, distribution, and logistic systems that support businesses worldwide. Industry leaders are calling for tighter endpoint protection, increased redundancy, and broader adoption of real-time monitoring to combat similar disruptive attacks.