Microsoft Probes Whether Chinese Hackers Used Security Alert to Exploit SharePoint Flaw

Microsoft is investigating whether a leak from its Microsoft Active Protections Program (MAPP) enabled Chinese state‑linked hackers to exploit a critical SharePoint server vulnerability before its patch was fully effective, Bloomberg reported Friday.

The tech giant observed widespread exploitation by two groups, “Linen Typhoon” and “Violet Typhoon”, alongside a third China‑based actor, prompting Microsoft to question whether detailed vulnerability data shared with MAPP partners was misused.

The flaw, first demonstrated in May by Vietnamese researcher Dinh Ho Anh Khoa at Trend Micro’s Pwn2Own conference, received an initial patch in July. However, Microsoft noted in a Tuesday blog post that attackers began probing and exploiting on‑premises SharePoint servers as early as July 7, 2025, indicating that the fixes did not fully remediate the vulnerability.

Members of the MAPP program, which grants select security vendors early access to vulnerability disclosures and proof‑of‑concept exploits, were notified of the SharePoint issue on June 24, 2025, July 3, 2025 and July 7, 2025, according to Dustin Childs, head of threat awareness at Trend Micro’s Zero Day Initiative.

“The likeliest scenario is that someone in the MAPP program used that information to create the exploits,” Childs told Reuters. While Microsoft has declined to name any specific vendor, Childs noted that the majority of attack traffic originated from China, suggesting a MAPP partner in the region may have breached its non‑disclosure agreement.

Launched in 2008, MAPP is designed to give cybersecurity defenders a head start by providing detailed technical briefings and proof‑of‑concept code ahead of public disclosure. Microsoft’s 2012 public admonishment of Hangzhou DPTech, expelled for leaking MAPP data, underscored the program’s reliance on strict confidentiality.

In response to the current incident, Microsoft said it “continually evaluates the efficacy and security of all of our partner programs and makes necessary improvements.”

In the wake of the SharePoint breach, security researchers have identified over 100 compromised servers spanning government agencies, universities, energy firms and consulting groups across multiple continents. Microsoft has released an emergency patch and urged on‑premises customers to apply it immediately, while working on additional updates to address lingering vulnerabilities.

The probe into MAPP’s role arrives as organisations worldwide scramble to secure collaborative platforms and prevent data exfiltration. By examining whether privileged disclosure channels were compromised, Microsoft aims to safeguard future early‑warning systems essential to pre‑empting zero‑day attacks and bolstering cyber defences against sophisticated adversaries.