Microsoft SharePoint Hacked: Why Every Business Should Take It Seriously
All dispatches
Cyber Security2025-07-2413 min read

Microsoft SharePoint Hacked: Why Every Business Should Take It Seriously

🐑
Rodney
Head of Tech Realism · Black Sheep Support
Share this dispatch

In July 2025, a critical vulnerability sent shockwaves through the cybersecurity world, directly impacting organisations worldwide that rely on Microsoft's on-premises SharePoint document servers. This wasn't merely a theoretical threat; it was a confirmed exploit, with Microsoft announcing that sophisticated, state-backed Chinese hacking groups had actively leveraged this flaw to compromise the servers of numerous businesses. The incident served as a stark reminder that even robust, widely used platforms are not immune to attack, and that the responsibility for security often rests squarely with the organisations managing their own infrastructure. Groups identified as Linen Typhoon, Violet Typhoon, and Storm-2603 swiftly exploited this newly discovered weakness in self-hosted SharePoint environments, targeting a diverse range of organisations. Crucially, Microsoft's cloud-based SharePoint Online service remained unaffected, highlighting a significant difference in security posture. While Microsoft rapidly released security patches and urged all affected organisations to update their systems immediately, unpatched servers remained — and continue to remain — vulnerable, underscoring the urgency of the situation and the ongoing investigations into further incidents. According to Microsoft, the attackers used the flaw to steal cryptographic key material, effectively granting them undetected access to sensitive data across sectors including government, defence, education, finance, and healthcare. This incident is a profound wake-up call for every business, especially UK SMEs, demonstrating that a proactive and robust cybersecurity strategy is not just an option, but an absolute necessity.

The SharePoint Server Attack Explained: A Deep Dive into the Threat

The July 2025 SharePoint server vulnerability, identified as CVE-2023-29357, was a zero-day exploit, meaning it was discovered and exploited by attackers before a patch was publicly available. This particular flaw allowed attackers to achieve privilege escalation, essentially giving them higher-level access to the compromised server. Once inside, the objective was clear: data exfiltration. By stealing cryptographic key material, the attackers could decrypt encrypted data, access sensitive documents, and potentially establish persistent footholds within affected networks for long-term espionage.

The involvement of state-backed groups like Linen Typhoon, Violet Typhoon, and Storm-2603 elevates the seriousness of this incident beyond typical criminal activity. These groups are known for their advanced capabilities and strategic objectives, often targeting intellectual property, government secrets, and critical infrastructure. Their swift exploitation of the SharePoint vulnerability demonstrates a high level of coordination and technical prowess.

What makes this incident particularly concerning is that it didn't rely on highly complex, never-before-seen cyberweapons. Instead, it exploited a fundamental weakness: an unpatched vulnerability on servers managed by individual companies. This highlights a common pattern in cybercrime: attackers often succeed not through technological complexity, but through speed and opportunism. As one leading cybersecurity expert noted, the SharePoint breach was "broad and opportunistic," with multiple groups moving quickly to exploit the vulnerability before a fix could be widely applied. This rapid exploitation window, where a vulnerability is public but a patch isn't yet deployed, is a critical period that businesses must minimise through diligent patch management.

Why UK SMEs Are Prime Targets for Such Attacks

Small and medium-sized enterprises (SMEs) in the UK often mistakenly believe they are too small to be targeted by sophisticated cyberattacks. The reality, however, is quite the opposite. Attackers increasingly view SMEs as "low-hanging fruit" – easier to compromise than larger organisations with dedicated security teams, yet still possessing valuable data or serving as stepping stones to supply chain attacks against bigger targets. The SharePoint incident, while global, underscores specific vulnerabilities prevalent within the UK SME landscape:

Outdated or Unpatched Systems

Many UK SMEs operate with limited IT resources, often leading to a backlog of critical updates. On-premises servers, like the affected SharePoint systems, require manual or carefully managed patching. If these systems are not regularly updated, they become glaring targets for attackers who actively scan for known vulnerabilities. The SharePoint vulnerability was exploited precisely because organisations hadn't applied patches that weren't even available yet, but the principle holds true for any known vulnerability.

Weak Password Practices

The devastating case of KNP Group, a 158-year-old logistics firm that collapsed following a ransomware attack in 2023, serves as a grim reminder. Investigators believe that breach may have originated from something as simple as a single compromised password. Once inside, attackers encrypted the entire system, demanding a multi-million-pound ransom. KNP Group was unable to recover, leading to business closure and 700 job losses. This tragic outcome highlights how a seemingly minor security lapse can have catastrophic consequences.

Limited Staff Training on Cybersecurity

Employees are often the first line of defence, yet they can also be an organisation's weakest link if not properly trained. Phishing attacks, social engineering, and a general lack of awareness about secure computing practices can easily lead to breaches. A single click on a malicious link or the inadvertent sharing of credentials can open the door for attackers.

Inadequate Backup and Disaster Recovery Plans

When a system is compromised, a robust backup and disaster recovery plan is paramount. Many SMEs either lack such plans entirely or have untested, incomplete ones. Without reliable backups, a ransomware attack or data corruption event can lead to irreversible data loss and operational paralysis, as seen with KNP Group.

Lack of In-house IT or Security Expertise

Most SMEs don't have the luxury of a dedicated cybersecurity team. IT responsibilities often fall to a single individual, or are outsourced piecemeal, leading to gaps in expertise and oversight. This makes it challenging to keep abreast of emerging threats, implement best practices, and respond effectively to incidents.

Budget Constraints

Cybersecurity often seems like an overhead rather than an investment, especially for budget-conscious SMEs. This can lead to underinvestment in essential security tools, training, and expert support, inadvertently increasing their risk exposure.

These factors combine to make UK SMEs particularly susceptible to opportunistic attacks, turning them into attractive targets for cybercriminals and state-backed actors alike. The consequences, as demonstrated by the SharePoint and KNP Group incidents, can be existential.

Essential Security Measures Every UK SME Must Implement

Protecting your business in today's threat landscape requires a multi-layered, proactive approach. For UK SMEs, implementing these fundamental security measures is non-negotiable:

1. Timely Patch Management

  • Automated Updates: Where possible, configure systems (operating systems, applications, firmware) to update automatically. For critical servers, schedule updates outside of business hours to minimise disruption.
  • Regular Audits: Regularly audit your software and hardware inventory to ensure all components are accounted for and receiving updates.
  • Immediate Action for Critical Patches: For vulnerabilities like the SharePoint exploit, apply patches immediately upon release. Establish a clear process for monitoring security advisories from vendors like Microsoft.
  • Third-Party Software: Don't forget non-Microsoft applications. Browser plugins, PDF readers, and other business software can also introduce vulnerabilities.

2. Robust Password Policies and Multi-Factor Authentication (MFA)

  • Strong, Unique Passwords: Enforce policies requiring complex, unique passwords for all accounts, regularly encouraging password changes.
  • Mandatory MFA: Implement Multi-Factor Authentication (MFA) for all user accounts, especially for remote access, administrative accounts, and cloud services. MFA adds a crucial layer of security, making it exponentially harder for attackers to gain access even if they compromise a password.
  • Password Managers: Encourage or provide password manager solutions to help employees create and store strong, unique passwords securely.

3. Employee Cybersecurity Training

  • Regular and Engaging Training: Conduct mandatory, regular cybersecurity awareness training sessions. These should be practical, relevant, and engaging, covering topics like:
    • Phishing and Social Engineering: How to identify and report suspicious emails, links, and communications.
    • Safe Browsing Habits: Recognising secure websites, avoiding suspicious downloads.
    • Data Handling: Proper procedures for handling sensitive company and customer data.
    • Device Security: Importance of locking screens, not leaving devices unattended.
  • Simulated Phishing Drills: Periodically conduct simulated phishing campaigns to test employee vigilance and reinforce training.

4. Comprehensive Backup and Disaster Recovery (BDR)

  • The 3-2-1 Rule: Implement a backup strategy that adheres to the 3-2-1 rule:
    • 3 copies of your data: The original and two backups.
    • 2 different media types: e.g., local disk and cloud.
    • 1 copy offsite: Stored physically or virtually off-premises.
  • Regular Testing: Crucially, regularly test your backups to ensure they are recoverable and your disaster recovery plan works. A backup is only good if you can restore from it.
  • Immutable Backups: Consider immutable backups, which cannot be altered or deleted, providing an extra layer of protection against ransomware.
  • Incident Response Plan: Develop a clear, documented incident response plan outlining steps to take in the event of a breach, including communication protocols, data recovery procedures, and legal obligations (e.g., GDPR reporting).

5. Network Segmentation and Least Privilege

  • Network Segmentation: Divide your network into smaller, isolated segments. If one segment is compromised, the damage is contained, preventing attackers from easily moving across your entire network.
  • Principle of Least Privilege: Grant users and systems only the minimum necessary access rights required to perform their tasks. This limits the potential damage if an account is compromised.

6. Endpoint Detection and Response (EDR) / Next-Gen Antivirus

  • Move beyond traditional antivirus. Invest in EDR solutions that provide advanced threat detection, real-time monitoring, and automated response capabilities on all endpoints (laptops, desktops, servers).

7. Regular Security Audits and Penetration Testing

  • Proactive Vulnerability Scanning: Periodically scan your systems for vulnerabilities.
  • Penetration Testing: Engage ethical hackers to simulate real-world attacks, identifying weaknesses before malicious actors do.
  • Cyber Essentials Certification: Pursue UK government-backed Cyber Essentials certification. This demonstrates a commitment to basic cybersecurity hygiene and is often a requirement for government contracts and supply chains.

The Cloud Advantage: Why SharePoint Online Stood Strong

One of the most significant takeaways from the SharePoint server vulnerability was the resilience of Microsoft's cloud-based SharePoint Online service, which remained secure throughout the attack. This distinction highlights a fundamental difference in how security is managed in the cloud versus on-premises environments, offering compelling reasons for UK SMEs to consider migration.

Why SharePoint Online Was Unaffected:

  • Microsoft's Massive Security Investment: Cloud providers like Microsoft invest billions in cybersecurity infrastructure, threat intelligence, and dedicated security teams. This level of investment is simply unachievable for most individual businesses.
  • Automated Patching and Updates: Microsoft automatically manages and applies security patches and updates to SharePoint Online, often before vulnerabilities are widely known or exploited. This eliminates the burden and potential for human error associated with manual patching on-premises.
  • Advanced Threat Detection and Response: SharePoint Online benefits from Microsoft's comprehensive suite of security tools, including AI-driven threat detection, real-time monitoring, and rapid incident response capabilities that continuously scan for and neutralise threats.
  • Layered Security Architecture: Cloud services are built with multiple layers of security, from physical data centre security to network, application, and data-level protections, all managed by experts.

Benefits of Migrating to SharePoint Online for UK SMEs:

  • Enhanced Security by Default: You inherit Microsoft's robust security infrastructure, benefiting from continuous updates, advanced threat protection, and expert monitoring without needing to manage it yourself.
  • Reduced IT Overhead: Migrating to the cloud reduces the need for costly on-premises server hardware, maintenance, power, and dedicated IT staff for server management. Your team can focus on strategic initiatives rather than infrastructure.
  • Improved Collaboration and Accessibility: SharePoint Online provides seamless collaboration features, allowing employees to access and work on documents from anywhere, on any device, securely.
  • Scalability and Flexibility: Easily scale your storage and user count up or down as your business needs evolve, paying only for what you use.
  • Built-in Compliance Features: Microsoft 365, including SharePoint Online, offers features and certifications that help businesses comply with regulations like GDPR, providing audit trails, data retention policies, and robust data protection.

If your business is still running on-premises SharePoint, now is an opportune time to evaluate the benefits of migrating to the cloud. It's not just about avoiding future vulnerabilities; it's about gaining a more secure, flexible, and efficient platform for your operations.

Navigating UK Regulatory Compliance and Cyber Essentials

For UK SMEs, the implications of a cyberattack extend beyond operational disruption and data loss. The regulatory landscape, particularly concerning data protection, imposes significant responsibilities and potential penalties.

GDPR Compliance

The General Data Protection Regulation (GDPR) is a cornerstone of data privacy law in the UK. Any breach involving personal data of UK citizens can trigger severe consequences:

  • Mandatory Breach Notification: You have a legal obligation to report certain types of data breaches to the Information Commissioner's Office (ICO) within 72 hours of becoming aware of them, especially if there's a risk to individuals' rights and freedoms.
  • Significant Fines: Non-compliance with GDPR can lead to hefty fines, up to £17.5 million or 4% of annual global turnover, whichever is greater.
  • Reputational Damage: A data breach can severely erode customer trust and damage your business's reputation, leading to lost business and long-term recovery challenges.
  • Legal Action: Individuals whose data has been compromised may pursue legal action against your business.

The SharePoint attack, which involved the theft of cryptographic key material and access to sensitive data, clearly falls under the purview of GDPR. Protecting personal data is not just good practice; it's a legal imperative.

Cyber Essentials Certification

The UK government-backed Cyber Essentials scheme is designed to help organisations protect themselves against common cyber threats. Achieving Cyber Essentials or Cyber Essentials Plus certification demonstrates a fundamental level of cybersecurity hygiene and is increasingly required for public sector contracts and within many supply chains.

  • Five Key Controls: Cyber Essentials focuses on five core technical controls:
    1. Firewalls: Securing your internet connection.
    2. Secure Configuration: Ensuring systems are set up in the most secure way.
    3. User Access Control: Managing who has access to your data and services.
    4. Malware Protection: Protecting against viruses and other malicious software.
    5. Patch Management: Keeping your devices and software up to date.
  • Benefits: Adhering to these controls directly addresses many of the vulnerabilities exploited in incidents like the SharePoint breach. It provides a clear framework for building a robust security posture, reducing your risk profile, and instilling confidence in your clients and partners.

For UK SMEs, understanding and actively working towards GDPR compliance and Cyber Essentials certification isn't just about avoiding fines; it's about building a foundation of trust, resilience, and operational integrity in a digitally connected world.

Key Takeaways

  • Cyber Threats Are Pervasive and Opportunistic: The Microsoft SharePoint server vulnerability demonstrates that even widely used, trusted platforms can be exploited, often targeting unpatched systems with speed and precision.
  • UK SMEs Are Prime Targets: Due to factors like limited resources, outdated systems, and insufficient training, SMEs are often seen as "low-hanging fruit" by cybercriminals and state-backed actors.
  • Proactive Security is Non-Negotiable: Fundamental measures like timely patch management, mandatory Multi-Factor Authentication (MFA), robust employee training, and comprehensive backup and disaster recovery plans are essential for survival.
  • Cloud Offers Significant Security Advantages: Microsoft's SharePoint Online remained secure during the attack, showcasing the enhanced protection, automated updates, and expert management available in cloud environments compared to on-premises solutions.
  • UK Regulatory Compliance is Critical: GDPR imposes strict obligations and potential penalties for data breaches, while Cyber Essentials provides a vital framework for building and demonstrating fundamental cybersecurity hygiene for UK businesses.
  • Expert Support is Vital: Navigating the complex cybersecurity landscape requires expertise. Whether hardening existing infrastructure or migrating to the cloud, partnering with experienced IT and cybersecurity providers can make all the difference.

To take the next step

Book a Discovery Call

Back to all dispatchesEnd of Intelligence · BSS Digital Dispatch