Microsoft is scrambling to patch its SharePoint collaboration and document management platform following the discovery of a critical zero-day exploit(หน้าต่างใหม่) that has already been weaponized(หน้าต่างใหม่) to target hundreds of servers across government agencies, universities, energy operators, and private-sector organizations in the US, Europe, and Asia.

What happened?

SharePoint is a web application from Microsoft that’s used for sharing files and building self-contained computer networks (intranets). Importantly in the context of this data breach, SharePoint can be hosted either on premises (on an organization’s local servers) or as a Microsoft 365 hosted service.

Starting on July 18, 2025, attackers began to exploit a chain of critical vulnerabilities(หน้าต่างใหม่) that allow unauthenticated arbitrary code execution(หน้าต่างใหม่) and privilege escalation(หน้าต่างใหม่) to access the on‑premises SharePoint Server (versions 2016, 2019, and Subscription Edition) software. Instances of SharePoint running on Microsoft 365 servers are unaffected.

Collectively, the vulnerabilities are known as ToolShell(หน้าต่างใหม่) because they exploit ToolPane.aspx, a component for assembling the side panel view in the SharePoint user interface.

Why is ToolShell dangerous?

These exploits allow attackers to access some of the most sensitive parts of a self-hosted SharePoint server. From there, they can:

ToolShell is worryingly hard to detect: It uses standard SharePoint pages (/_layouts/ToolPane.aspx), doesn’t require an attacker to log in to SharePoint, leaves minimal traces on the infected system, and often encrypts the payloads. A company might have hackers lurking in their network, stealing customer data or trade secrets, and never know it.

Who has been impacted?

Hundreds(หน้าต่างใหม่) of companies and organizations around the world have been compromised by ToolShell. Notable victims include multiple US federal agencies and critical infrastructure providers:

Who is responsible?

According to Microsoft, two Chinese state-sponsored hacking groups(หน้าต่างใหม่) (Linen Typhoon and Violet Typhoon), plus the (non-state sponsored) Chinese hacking group Storm-2603, were responsible for the initial attacks on SharePoint systems.

However, the notable acceleration of attacks(หน้าต่างใหม่) through July 18–24 strongly suggests use of the exploits has spread throughout the global hacking community.

How to respond and mitigate against ToolShell

Microsoft has now released comprehensive security updates(หน้าต่างใหม่) for supported versions of SharePoint Server (Subscription Edition, 2019, and 2016) to address these vulnerabilities. If you are an on-premises SharePoint administrator, we strongly recommend that you apply these updates immediately.

Microsoft also recommends turning on the Antimalware Scan Interface (AMSI) using Full Mode(หน้าต่างใหม่), and deploying anti-malware software. If you’re using an unsupported version of SharePoint, you should air-gap your servers (that is, disconnect them from the internet) until a patch becomes available.

Can using Proton help?

Using Proton products can’t stop hackers from compromising your self-hosted SharePoint server, but they can help mitigate against some the damage if your organization is attacked.

Proton Pass

Our end-to-end encrypted (E2EE) password manager can help prevent lateral movement by securely storing credentials, API tokens, and service accounts — keeping them off exposed servers and out of the code running on them.

Proton Drive

Similarly, our E2EE cloud storage solution can improve your operational resilience to attacks like ToolShell by keeping your sensitive files and internal documents off compromised infrastructure. Drive provides a highly secure and convenient way to share files among colleagues. When you store files on Proton Drive, no one can access them except you and those you share them with.

Escalating risks for businesses

The ToolShell SharePoint breach is a sobering reminder of the growing sophistication and urgency of threats targeting enterprise infrastructure. By exploiting zero-day vulnerabilities in Microsoft SharePoint, attackers were able to bypass authentication, implant persistent backdoors, and in some cases, steal cryptographic keys that allowed them to silently retain access even after patches were applied.

The scale of the attacks — which have affected hundreds of around the world — and the high-value to the targets, including critical infrastructure and government agencies, underscore how dangerous and far-reaching this exploit chain has been.