Microsoft SharePoint Zero-Day Vulnerabilities Exploited in Global Campaigns
July 2025 saw the emergence of multiple zero-day vulnerabilities in Microsoft SharePoint, actively exploited by advanced threat actors across North America, Europe, and Asia. The exploits led to confirmed compromises in hundreds of organizations, illustrating growing risks to widely used business collaboration platforms and emphasizing the persistence and technical depth of threat actors targeting enterprise software stacks.
Attack Scope and Technical Impact
The two principal vulnerabilities rated 9.8 and 7.1 on the CVSS scale, with the more severe flaw permitting unauthenticated remote code execution (RCE) on unpatched SharePoint servers. Attackers achieved administrative access, granting the ability to manipulate files, exfiltrate sensitive data, and deploy follow-on malware payloads across assets integrated with Microsoft 365 environments.
Attack Attribution and Campaign Tactics
Microsoft attributed exploitation to three Chinese-linked threat groups (Linen Typhoon, Violet Typhoon, and Storm-2603), with the latter further deploying the Warlock ransomware as a post-intrusion payload. Initial access was gained via zero-day vulnerabilities disclosed during the Pwn2Own contest in May 2025. Attackers demonstrated the ability to bypass Microsoft’s initial patch released on July 8 by chaining exploits and leveraging custom obfuscated payloads.
Incident Response and Protections
Security advisories from CISA and Microsoft called for urgent patching, machine key rotations, and—where support had lapsed—the emergency disconnection of end-of-life SharePoint servers from internet exposure. Forensic analysis found attackers customizing exploits for environment-specific security controls and utilizing stealthy persistence mechanisms, such as living-off-the-land binaries and web shells buried in SharePoint directories.
Broader Trends and Implications
This campaign highlights the increasing speed with which sophisticated attackers weaponize newly disclosed vulnerabilities and the difficulty of fully remediating zero-days in widely deployed, complex enterprise software. Unpatched on-premises SharePoint systems remain a critical risk exposure, with exploitation confirmed in financial, healthcare, government, and critical infrastructure domains. Experts urge organizations to closely monitor lateral movement, rotate sensitive credentials, and review logs for anomalous SharePoint access.
Critical Infrastructure Targeted by Ransomware and Hacktivist Operations
July 2025 was marked by intensified targeting of critical infrastructure sectors by ransomware groups, hacktivists, and suspected state-aligned actors. Notable incidents disrupted electrical grids, transportation systems, and government services, underscoring the convergence of ideological, financial, and geopolitical motivations among modern cyber adversaries.
Incident Scope and Attack Vectors
Adversaries exploited gaps in operational technology (OT) security, including legacy industrial control systems, unpatched network gear, and insufficient network segmentation. Attack campaigns leveraged credential theft, phishing, supply chain manipulation, and exploitation of known vulnerabilities in remote access tools and monitoring solutions. Ransomware payloads were often combined with data theft for double extortion, and, increasingly, threat actors attempted lateral movement from IT to OT environments, endangering safety-critical operations.
Government and Industry Response
Response measures included invocation of state-level cyber emergency protocols and deployment of national guard cybersecurity units in affected jurisdictions. Agencies such as CISA, ENISA, and regional sector-specific Information Sharing and Analysis Centers (ISACs) released joint advisories emphasizing the need for virtual patching, rapid vulnerability triage, Zero Trust architecture adoption, and enhanced monitoring of privileged accounts and backup systems.
Emerging Defense Strategies
Affected organizations increasingly adopted micro-segmentation of OT networks, immutable backups, and continuous threat hunting for early signs of lateral movement. The emphasis shifted toward threat intelligence sharing and the deployment of deception technology to slow attacker dwell time and improve visibility into evolving adversary tools and tactics.
MacOS and Chrome Exploited via High-Severity Vulnerabilities
New vulnerabilities affecting Apple macOS and Google Chrome were actively exploited in July 2025, enabling attackers to access sensitive user data and compromise system integrity. The incidents highlight the risks inherent to widely adopted endpoint software and reinforce the requirement for immediate patch adoption.
Technical Description: CVE-2025-6558 in Chrome
The Chrome vulnerability (CVE-2025-6558) was identified in the ANGLE graphics and GPU processing components, discovered by Google’s Threat Analysis Group (TAG) after observing in-the-wild exploitation. Successful exploitation enabled attackers to escape browser sandboxes, execute arbitrary code, and escalate privileges on targeted systems. Security updates to Chrome and related Chromium-based browsers addressed the issue.
Apple TCC Bypass and Data Exposure
A critical macOS flaw enabled threat actors to bypass the Transparency, Consent, and Control (TCC) framework, allowing unauthorized retrieval of sensitive data, including cached records from Apple Intelligence modules such as geolocation or biometric identification. The exploit allowed persistence even after traditional remediation steps and was used in highly targeted attack campaigns.
Mitigation and Best Practices
Both vulnerabilities were addressed in out-of-band updates, with security advisories recommending immediate installation of patches, review of system logs for compromise indicators, and hardening of endpoint configurations. Users are advised to be vigilant against social engineering vectors used to complement technical exploits, especially as high-profile vulnerabilities draw the attention of multiple adversary groups.
Advanced Linux Malware Uses AI-Assisted Techniques and Image-Based Evasion
A newly identified Linux malware strain, dubbed “Koske,” emerged in late July 2025, employing advanced AI-assisted code mutation and polyglot steganography to bypass traditional security controls. This toolkit reflects sophisticated adversarial innovation and demonstrates how attackers are leveraging artificial intelligence to automate evasion and payload delivery.
Technical Analysis of the Infection Chain
The “Koske” malware utilizes JPEG images—often featuring seemingly innocuous panda graphics—which encode Python and compiled ELF payloads in metadata fields. The loader script extracts and executes these components in memory, never writing disk artifacts, thus evading most endpoint detection and response products. Code mutation and cryptographic obfuscation—guided by embedded AI routines—further hinder analysis and detection.
Payload Capabilities and Targets
Once resident, the malware deploys a low-level rootkit to grant persistent privileged access and launches in-memory cryptominers targeting host GPUs and CPUs. Infection campaigns were traced to misconfigured JupyterLab instances and externally exposed Linux systems, with lateral movement scripts seeking local container orchestrators (e.g., Kubernetes, Docker Swarm) for broader impact. The infection is highly modular, and reports suggest capability for deployment of additional payloads, including ransomware or botnet agents.
Detection and Remediation
Detecting Koske relies on memory analysis, anomalous resource usage monitoring, and restrictive inbound network controls. Security teams should review ephemeral file creation, scrutinize exposed development environments, and enforce least privilege access principles throughout Linux infrastructure.
Rise in Targeted Social Engineering and Supply Chain Email Threats
There was a significant increase in targeted social engineering campaigns and supply chain-related email threats in July 2025. Attackers combined psychological manipulation with technical exploits, impacting both enterprise and individual targets by leveraging trust in familiar brands and business partners.
Trends in Social Engineering Attacks
Criminal actors employed refined social engineering tactics, starting with benign-seeming wrong-number messages to entice victims into ongoing conversations. These attacks frequently transitioned to credential phishing, financial scams, or attempts to install remote access trojans. A parallel trend surfaced in attacks against widely used WordPress plugins such as Post SMTP, where attackers delivered malicious payloads to administrator emails via seemingly routine system alerts, exploiting vulnerabilities in unpatched plugin code.
Supply Chain Risks and Mitigations
The increase in impersonation of trusted vendors and manipulation of automated software notifications points to the enduring risk of supply chain compromise via email. Organizations were urged to enable multi-factor authentication for all privileged accounts, monitor for anomalous email activity, and patch critical third-party software dependencies immediately upon notification of vulnerabilities.
Major Service Disruptions from Corporate and Government Cyberattacks
July 2025 saw several headline-grabbing cyberattacks resulting in major service disruptions for corporate entities and government agencies. The attacks demonstrated the operational impacts that determined adversaries can achieve, from denial-of-service events to extended system outages requiring the mobilization of external response resources.
Case Studies: Corporate and Municipal Impacts
Telecommunication giant Orange suffered a cyberattack that disrupted services for both corporate and individual subscribers, with incident response underway to restore normal operations. In Minnesota, a cyberattack targeting the City of Saint Paul led Governor Tim Walz to activate the National Guard cybersecurity unit to assist in investigation, containment, and remediation, underscoring the potential for critical service interruption and the need for cross-functional response planning.
Insider Threat Tactics and Backup Targeting
Reports highlighted a rising trend of criminal groups using advanced social engineering, such as Scattered Spider’s organizational infiltration playbook, to gain access to backup systems. By targeting recovery infrastructure, attackers aimed to prolong outages, amplify extortion leverage, and reduce victims’ ability to recover without paying ransoms.