In July 2025, Microsoft confirmed that state-backed Chinese hackers had compromised its on-premises SharePoint document servers.

Groups known as Linen Typhoon, Violet Typhoon, and Storm-2603 exploited a newly discovered vulnerability in self-hosted SharePoint — the version of the platform that many organisations run on their own infrastructure.

Importantly, Microsoft’s cloud-based SharePoint Online service was not affected.

Microsoft has released security patches and strongly advised all affected organisations to apply the updates immediately. Unpatched servers remain vulnerable, and investigations into further incidents are ongoing.

According to Microsoft, the attackers used the flaw to steal cryptographic key material, giving them the ability to access sensitive data undetected. Victims span sectors including government, defence, education, finance, and healthcare across multiple regions.

What This Means for Your Organisation

If a company as sophisticated as Microsoft can fall victim to cyberattacks, every organisation should be alert.

This breach did not rely on advanced cyberweapons — it exploited an unpatched vulnerability. It highlights how cybercriminals often succeed not through complexity, but through speed and opportunism.

One leading cybersecurity expert described the SharePoint breach as “broad and opportunistic”, with several groups exploiting the vulnerability before a fix was available.

It is yet another example of how quickly threat actors can act once a weakness is exposed.

It Doesn’t Take Much — Sometimes Just a Password

This incident comes just days after we discussed the case of KNP Group, a 158-year-old logistics firm that collapsed in 2023 following a ransomware attack.

Read how one weak password brought down a 158-year-old business

Investigators believe the breach may have begun with something as simple as a single compromised password.

Once inside the network, attackers encrypted the entire system and demanded a ransom in the millions. KNP was unable to recover — resulting in business closure and 700 job losses.

The similarities between these two cases are striking: both involved widely used systems, both were exploited quickly, and both could potentially have been prevented through basic security measures.

Why SMEs Are Particularly at Risk

Small and medium-sized enterprises (SMEs) often underestimate their exposure to cyber threats. In reality, they are increasingly targeted, as attackers view them as easier to compromise.

Common vulnerabilities include:

• Outdated or unpatched systems

• Weak password practices

• Limited staff training on cybersecurity

• Inadequate backup and disaster recovery plans

• Lack of in-house IT or security expertise

These factors make SMEs a preferred target — what attackers refer to as “low-hanging fruit”.

And as we’ve seen time and again, the consequences of a breach can be catastrophic.

Thinking of Moving to the Cloud? Now’s the Time

This breach was a wake-up call for many — but it also underscored the resilience of Microsoft’s cloud-based SharePoint Online, which remained secure throughout the attack.

If your business is still running on-premises SharePoint, now is the ideal time to consider migrating to the cloud.

At Black Sheep Support, we help businesses:

• Apply critical SharePoint updates

• Assess security vulnerabilities

• Seamlessly migrate from on-prem SharePoint to SharePoint Online

• Provide ongoing cloud support and guidance

Whether you’re planning a full migration or just need advice on where to start, we’re here to help you transition securely and efficiently.

Book a free consultation today and speak to one of our experts about how we can support your business — from patching and hardening your existing infrastructure, to helping you move forward with cloud confidence.