Global cybersecurity is once again in the spotlight. In August 2025, Microsoft announced major changes in how it shares vulnerability information with its partners, following a series of attacks that exploited flaws in SharePoint—its collaboration platform used by millions of organizations. The attacks were so severe that even U.S. government agencies and energy companies were compromised.
But beyond the headline, what matters is what these changes mean for you and any company that relies on Microsoft and its tools. At TecnetOne, we’ll break it down for you.
What Happened with the SharePoint Attacks?
It all started in late June 2025, when security researchers discovered two critical vulnerabilities—CVE-2025-53770 and CVE-2025-53771—that affected on-premises SharePoint servers. These were zero-day flaws, meaning they were unknown to the vendor and had no available patch at the time.
State-sponsored cybercriminal groups identified as Linen Typhoon and Violet Typhoon began exploiting them almost immediately. The impact was global: U.S. government agencies, universities, and energy companies were exposed. Even the U.S. National Nuclear Security Administration was listed among the potential victims.
Microsoft responded by releasing emergency patches, but the damage was already done—thousands of servers had been compromised.
Also of interest: New Zero-Day in SharePoint (CVE-2025-53770): Update Now!
What Is MAPP and Why Is It Relevant?
To understand Microsoft's reaction, you need to know about the Microsoft Active Protections Program (MAPP).
This program was designed to share early vulnerability information with security firms and technology partners. The idea was simple: if allies knew about a flaw ahead of time, they could protect customers faster.
The problem? That trust was breached—again.
- In 2012, Microsoft blamed a Chinese company for leaking confidential information about a critical Windows flaw.
- In 2021, during the Exchange Server attacks, information shared through MAPP was also suspected of having been leaked to threat actors.
Following the 2025 SharePoint incidents, Microsoft suspected further leaks and decided to restrict MAPP access for Chinese firms.
Microsoft’s New Policy Changes
Starting in July 2025, Microsoft began quietly enforcing new rules:
- No more Proof-of-Concept (PoC) code access
Previously, some partners received exploit examples to test defenses—but these could also be misused before patches were widely deployed.
- Only general descriptions for certain countries
Instead of code, Microsoft now provides a written summary of the vulnerability with the official patch.
- Stricter monitoring of MAPP members
Any company caught violating the rules—such as participating in offensive attacks—will be suspended or removed.
In the words of David Cuddy, a Microsoft spokesperson:
“We’re aware of the potential for abuse, which is why we’ve taken both public and confidential measures to prevent it. We continuously review participants and take action if we detect violations.”
Learn more: What is Incident Response in Cybersecurity?
China’s Role and Geopolitical Tensions
Microsoft didn’t directly accuse the Chinese government, but clearly linked the attacks to state-sponsored groups. Predictably, Beijing denied involvement, stating that China "opposes and combats cybercrime in accordance with the law."
This kind of back-and-forth is becoming more common. Cybersecurity is now a geopolitical flashpoint, and tech giants like Microsoft are caught in the middle.
What does this mean for your business? That even if you're a small or medium-sized company, using widely adopted software puts you on the radar of attackers.
Key Lessons from the SharePoint Case
This case offers several critical takeaways:
- Time is everything
Attackers exploit flaws in minutes. Meanwhile, most companies take hours—or days—to verify alerts. That time gap is dangerous.
- Zero-day threats are real
They’re no longer reserved for spies or military-grade threats. They're part of everyday cyber risk.
- Blind trust in third parties is a liability
Even well-meaning programs like MAPP can lead to leaked info and new threats.
- Visibility and segmentation are crucial
With hybrid infrastructure—cloud, on-prem, third parties—having a unified view of access and patching is non-negotiable.
What Your Company Can Do
At TecnetOne, we know stories like this may feel distant—but they impact your daily operations. Here’s how to respond:
Strengthen vulnerability management
Don’t wait for patches. Inventory your assets, prioritize critical systems, and patch as soon as updates are available.
Run incident response drills
If a new “ToolShell” attack hit tomorrow, how would your team react? Practice your response plan before it’s needed.
Monitor identities and access
Most breaches start with valid credentials. Use Identity and Access Management (IAM) tools to detect anomalies and reduce attack surfaces.
Integrate threat intelligence
Don’t rely solely on vendor updates. Use real-time threat feeds to stay ahead of campaigns like those run by Linen Typhoon or Violet Typhoon.
Assess your digital supply chain
Third-party risks are your risks. Audit which vendors access your systems and how they secure sensitive information.
Conclusion: A Stark Reminder of What’s at Stake
The Microsoft–China-linked attacks aren’t an isolated event. They’re part of a growing trend in cybersecurity: faster, more aggressive, and deeply entangled with geopolitics.
At TecnetOne, we believe the most important lesson is this:
You can’t control what tech giants or governments do—but you can control how prepared and resilient your business is.
Keeping systems updated, securing identities, and having a tested incident response plan isn’t optional. It’s what will keep your business running, even during the next digital storm.
