Microsoft is scrambling to patch its SharePoint collaboration and document management platform following the discovery of a critical zero-day exploit(ventana nueva) that has already been weaponized(ventana nueva) to target hundreds of servers across government agencies, universities, energy operators, and private-sector organizations in the US, Europe, and Asia.
What happened?
SharePoint is a web application from Microsoft that’s used for sharing files and building self-contained computer networks (intranets). Importantly in the context of this data breach, SharePoint can be hosted either on premises (on an organization’s local servers) or as a Microsoft 365 hosted service.
Starting on July 18, 2025, attackers began to exploit a chain of critical vulnerabilities(ventana nueva) that allow unauthenticated arbitrary code execution(ventana nueva) and privilege escalation(ventana nueva) to access the on‑premises SharePoint Server (versions 2016, 2019, and Subscription Edition) software. Instances of SharePoint running on Microsoft 365 servers are unaffected.
Collectively, the vulnerabilities are known as ToolShell(ventana nueva) because they exploit ToolPane.aspx, a component for assembling the side panel view in the SharePoint user interface.
Why is ToolShell dangerous?
These exploits allow attackers to access some of the most sensitive parts of a self-hosted SharePoint server. From there, they can:
- Exfiltrate (steal) sensitive data, including the keys used to encrypt session tokens and cookies. With these keys, attackers can forge authentication tokens and stay inside the network — even after it has been patched or updated (presumably, this doesn’t apply to Microsoft’s latest “comprehensive” patches(ventana nueva), which are specifically designed to address these vulnerabilities).
- Install backdoors that allow them to easily re-enter the system at any point in the future.
- Spread across a company’s systems — by using stolen credentials or forged tokens, the attacker can move deeper into the victim’s internal systems and SharePoint environment. This is known as lateral movement.
- Install ransomware — ToolShell has (ventana nueva)alread(ventana nueva)y been used to deploy ransomware such Warlock(ventana nueva) and Lockbit(ventana nueva) on compromised systems.
ToolShell is worryingly hard to detect: It uses standard SharePoint pages (/_layouts/ToolPane.aspx), doesn’t require an attacker to log in to SharePoint, leaves minimal traces on the infected system, and often encrypts the payloads. A company might have hackers lurking in their network, stealing customer data or trade secrets, and never know it.
Who has been impacted?
Hundreds(ventana nueva) of companies and organizations around the world have been compromised by ToolShell. Notable victims include multiple US federal agencies and critical infrastructure providers:
- National Nuclear Security Administration (NNSA) – The breach(ventana nueva) impacted few systems and did not involve classified data.
- National Institutes of Health (NIH) – At least one SharePoint server was breached and later isolated(ventana nueva). There was no evidence of data exfiltration.
- Department of Health and Human Services (HHS) and Department of Homeland Security (DHS) – Both agencies experienced confirmed breaches(ventana nueva) through the ToolShell chain, though no sensitive data loss has been reported.
- California Independent System Operator (CAISO) – The operator of California’s electric grid was breached(ventana nueva), but grid operations remained unaffected.
Who is responsible?
According to Microsoft, two Chinese state-sponsored hacking groups(ventana nueva) (Linen Typhoon and Violet Typhoon), plus the (non-state sponsored) Chinese hacking group Storm-2603, were responsible for the initial attacks on SharePoint systems.
However, the notable acceleration of attacks(ventana nueva) through July 18–24 strongly suggests use of the exploits has spread throughout the global hacking community.
How to respond and mitigate against ToolShell
Microsoft has now released comprehensive security updates(ventana nueva) for supported versions of SharePoint Server (Subscription Edition, 2019, and 2016) to address these vulnerabilities. If you are an on-premises SharePoint administrator, we strongly recommend that you apply these updates immediately.
Microsoft also recommends turning on the Antimalware Scan Interface (AMSI) using Full Mode(ventana nueva), and deploying anti-malware software. If you’re using an unsupported version of SharePoint, you should air-gap your servers (that is, disconnect them from the internet) until a patch becomes available.
Can using Proton help?
Using Proton products can’t stop hackers from compromising your self-hosted SharePoint server, but they can help mitigate against some the damage if your organization is attacked.
Proton Pass
Our end-to-end encrypted (E2EE) password manager can help prevent lateral movement by securely storing credentials, API tokens, and service accounts — keeping them off exposed servers and out of the code running on them.
Proton Drive
Similarly, our E2EE cloud storage solution can improve your operational resilience to attacks like ToolShell by keeping your sensitive files and internal documents off compromised infrastructure. Drive provides a highly secure and convenient way to share files among colleagues. When you store files on Proton Drive, no one can access them except you and those you share them with.
Escalating risks for businesses
The ToolShell SharePoint breach is a sobering reminder of the growing sophistication and urgency of threats targeting enterprise infrastructure. By exploiting zero-day vulnerabilities in Microsoft SharePoint, attackers were able to bypass authentication, implant persistent backdoors, and in some cases, steal cryptographic keys that allowed them to silently retain access even after patches were applied.
The scale of the attacks — which have affected hundreds of around the world — and the high-value to the targets, including critical infrastructure and government agencies, underscore how dangerous and far-reaching this exploit chain has been.
