Microsoft SharePoint Zero-Day Exploitation Wave Escalates in July 2025
July 2025 has seen a global surge in sophisticated attacks targeting Microsoft SharePoint servers via previously unknown zero-day vulnerabilities. The exploits, believed to originate from well-resourced state-linked groups, have effected hundreds of organizations—threatening the security of sensitive documents, emails, and business processes hosted on Microsoft’s collaboration platform. Rapid advisories from both Microsoft and major cybersecurity agencies signal the gravity of these breaches and the urgency for immediate patching and defensive countermeasures.
Nature and Impact of the Exploits
Attackers leveraged two critical vulnerabilities discovered in SharePoint, one supporting unauthenticated remote code execution and another permitting unauthorized administrative access. The vulnerabilities, rated 9.8 and 7.1 on the CVSS scale, have enabled threat groups to remotely run arbitrary code, bypassing multiple native security controls to attain persistent access.
Compromises have affected a sweeping range of targets: banks, universities, healthcare organizations, public utilities, and government agencies across North America and Europe. At least 75 confirmed incidents have been logged, with new victims surfacing throughout the month as adversaries attempt lateral movement from initially breached SharePoint environments into broader enterprise networks.
Attack Attribution and Tactics
Security researchers have linked the attacks to three distinct threat actors suspected to be China-based: Linen Typhoon, Violet Typhoon, and Storm-2603. Notably, Storm-2603 has combined exploitation with ransomware deployment. The campaign exploits zero-days initially discovered at the May 2025 Pwn2Own contest. Attack chains have included the use of tailored payloads to bypass early mitigation efforts, and attackers have demonstrated the adept modification of proof-of-concept code with enhanced evasion capacities.
In one observed campaign named “ToolShell,” adversaries rapidly adapted once Microsoft pushed out patches July 8—circumventing mitigations and targeting organizations with end-of-life or unpatched on-prem SharePoint instances.
Mitigation and Long-Term Defense Measures
Microsoft and CISA recommend immediate installation of the latest SharePoint security updates and, for affected organizations, review of authentication and encryption keys, audit of administrative actions, and consideration of disconnecting unsupported SharePoint systems from the internet. Security teams are advised to monitor for web shells, review logs for evidence of privilege escalation, and implement stronger network segmentation around collaborative document management environments.
Critical Infrastructure: The Prime Target for July’s Advanced Cyberattacks
July 2025 marked a sharp escalation in attacks aimed at the world’s most vital infrastructure sectors—energy, transportation, manufacturing, and government systems. The latest attack wave demonstrates the growing technical prowess of adversaries employing both hacktivist and nation-state tactics, resulting in significant disruption and rising risk to public safety and economic stability.
Attack Methods and Objectives
The majority of recent attacks deployed highly customized infiltration techniques, including exploiting newly discovered vulnerabilities, lateral movement through trusted interconnections, and leveraging covert “virtual patching” strategies. Some threat actors bypassed air-gapped defenses using boot-level malware, networking hardware compromises, and encrypted tunneling web shells. These efforts required substantial reconnaissance, with attackers demonstrating deep knowledge of targeted operational technology and control environments.
Notable Incidents and Response Measures
Recent infrastructure attacks have resulted in temporary shutdowns of regional energy grids and targeted disinformation operations on public utilities. In several cases, attackers weaponized trusted remote monitoring tools or exploited supply-chain weaknesses to gain initial access. Governments and industry consortia responded with rapid advisories—calling for enhanced segmentation, multi-layered detection, and accelerated Zero Trust adoption, particularly for organizations unable to immediately patch legacy systems.
Defensive Innovations and Policy Changes
Cyber defenders are scaling up virtual patching solutions, in which vulnerabilities are mitigated at the network or application layer ahead of official vendor updates. There is also increased investment in behavioral detection—using AI-driven models to spot subtle deviations in access patterns even on air-gapped or segmented networks. Regulatory bodies are mandating incident notification and non-compliance penalties for entities operating critical infrastructure.
AI-Augmented Linux Malware ‘Koske’ Unleashes Polymorphic Cryptomining Attacks
Researchers have uncovered a novel Linux malware strain, “Koske”, active in July 2025 and remarkable for its advanced anti-detection techniques powered by AI-assisted code. The operation’s core payload is a stealth cryptominer, delivered using uniquely crafted images in what is believed to be the most sophisticated polyglot JPEG exploit seen to date.
Technical Operation and Infection Vector
Koske gains entry via misconfigured JupyterLab instances—often leveraging the recently tracked CVE-2025-30370. Upon infection, the malware uses JPEG images of pandas as polyglot containers, embedding executable shellcode directly within innocuous-looking media files. When parsed by the compromised application, the rootkit loads entirely in-memory, making traditional disk-based antivirus nearly ineffective.
Persistence and Evasion Techniques
The malware employs self-adaptive algorithms, rotating its communication channels and cryptomining payload profiles in response to environmental security controls. It blends network activity with benign data flows, automatically tuning mining rate and operation times to avoid spiking CPU or power consumption—signals typically used in cryptominer detection.
Mitigation Guidance
Organizations should prioritize patching JupyterLab and related Python-based technologies and review server access and permission models. Layered AI-driven endpoint monitoring is recommended, with specific attention to in-memory code injection and anomalous file parsing events related to image libraries.
Multi-Million Dollar Data Breach at Allianz Life Following Sophisticated Social Engineering
On July 16, 2025, Allianz Life Insurance confirmed one of the year’s largest data breaches, exposing personal information on the vast majority of its 1.4 million U.S. customers and employees. Adversaries used advanced social engineering techniques to compromise the insurer’s cloud-based customer relationship management (CRM) system in a classic example of the evolving human-centric attack surface.
Attack Sequence and Technique
Threat actors directly targeted managed help desk agents at an outsourced provider (Cognizant). Through impersonation and manipulation, attackers convinced agents to hand over valid network credentials and reset accounts’ multi-factor authentication (MFA) protections, all without sufficiently robust identity verification procedures.
Damage Assessment and Regulatory Fallout
The breach forced Allianz to notify the FBI, conduct an immediate incident response operation, and initiate mandatory regulatory disclosures to affected consumers and state oversight bodies. The compromised data may include names, addresses, dates of birth, Social Security numbers, financial account information, and some health data—prompting a multi-state notification campaign. The breach has already resulted in an estimated $380 million in damages and sparked new regulatory scrutiny of insurance-sector supply chains.
Lessons for Third-Party and Identity Security
Analysts note this breach underscores persistent weaknesses in third-party vendor management and the critical need for stringent identity verification in helpdesk environments, especially when MFA bypass or credential resets are requested. Organizations are reminded to regularly audit third-party relationships for both process and technical controls.