On July 7, 2025, cybersecurity researchers detected a large-scale, coordinated exploitation campaign targeting on-premises Microsoft SharePoint servers. The attackers leveraged two previously unknown zero-day vulnerabilitiesβ
CVE-2025-53770 and CVE-2025-53771βin what is now known as the βToolShell Campaign.βThese flaws enabled attackers to infiltrate systems, gain administrative access, and plant persistent backdoorsβposing a critical threat to enterprise data security worldwide.
The two vulnerabilities allow remote unauthenticated attackers to:
The attacks appear to be stealthy and surgically targeted, affecting systems as far back as early July 2025.
Attribution efforts by Microsoft Threat Intelligence and several global cybersecurity firms suggest that the operation was carried out by state-linked Chinese threat actors, including:
These groups reportedly accessed sensitive cryptographic keys, manipulated internal services, and embedded long-lasting access points across enterprise networks.Although no classified data exfiltration has been confirmed, the depth of penetration indicates potential for espionage, lateral movement, and future disruptions.
In a shocking development, Microsoft is also investigating a possible internal leak from its Microsoft Active Protections Program (MAPP)βa vulnerability-sharing platform meant for trusted security partners.Reports suggest that details of the SharePoint vulnerabilities might have leaked from MAPP before official patches were released, possibly giving attackers a head start.
This raises serious questions about insider risk and the timing of the exploit wave.
Given the scope of the attack, both Microsoft and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) have issued urgent advisories:
Both agencies recommend treating the campaign as an active espionage operation, not merely opportunistic cybercrime.
Organizations running on-premises Microsoft SharePoint (especially 2016, 2019, and 2022 versions) are at high risk.
Early indicators show:
Attackers prioritized stealth and persistence, making it likely that compromises remain undetected.
ToolShell is a custom web shell backdoor used by the threat actors for:
The malware evades standard antivirus, often cloaking itself inside legitimate SharePoint service processes.
If you're an IT admin, CISO, or security engineer, here are critical actions to take today:
| Action Item | Priority |
|---|---|
| Apply official SharePoint patches from Microsoft | π΄ Critical |
| Scan logs for ToolShell patterns and suspicious scripts | π΄ Critical |
| Isolate and reimage suspicious endpoints | π΄ High |
| Rotate privileged credentials and certificates | π΄ High |
| Enable application whitelisting and AMSI | π‘ Recommended |
| Deploy endpoint detection tools (EDR/XDR) | π‘ Recommended |
"This campaign has all the hallmarks of a stealthy cyberespionage operationβstealth, precision, and patient persistence. Organizations must act as if theyβve already been compromised."
β CyberDudeBivash Threat Research Team
The ToolShell Campaign is a wake-up call for enterprises relying on legacy or poorly secured on-prem systems.
Cyberwarfare is not futuristicβitβs happening now, targeting critical infrastructure with advanced TTPs and insider intel.Patch. Investigate. Assume breach. Act now.
#CyberAttack #Microsoft #SharePoint #ZeroDay #ToolShell #LinenTyphoon #CISA #CyberDudeBivash