Global cybersecurity is once again in the spotlight. In August 2025, Microsoft announced major changes in how it shares vulnerability information with its partners, following a series of attacks that exploited flaws in SharePoint—its collaboration platform used by millions of organizations. The attacks were so severe that even U.S. government agencies and energy companies were compromised.
But beyond the headline, what matters is what these changes mean for you and any company that relies on Microsoft and its tools. At TecnetOne, we’ll break it down for you.
It all started in late June 2025, when security researchers discovered two critical vulnerabilities—CVE-2025-53770 and CVE-2025-53771—that affected on-premises SharePoint servers. These were zero-day flaws, meaning they were unknown to the vendor and had no available patch at the time.
State-sponsored cybercriminal groups identified as Linen Typhoon and Violet Typhoon began exploiting them almost immediately. The impact was global: U.S. government agencies, universities, and energy companies were exposed. Even the U.S. National Nuclear Security Administration was listed among the potential victims.
Microsoft responded by releasing emergency patches, but the damage was already done—thousands of servers had been compromised.
Also of interest: New Zero-Day in SharePoint (CVE-2025-53770): Update Now!
To understand Microsoft's reaction, you need to know about the Microsoft Active Protections Program (MAPP).
This program was designed to share early vulnerability information with security firms and technology partners. The idea was simple: if allies knew about a flaw ahead of time, they could protect customers faster.
The problem? That trust was breached—again.
Following the 2025 SharePoint incidents, Microsoft suspected further leaks and decided to restrict MAPP access for Chinese firms.
Starting in July 2025, Microsoft began quietly enforcing new rules:
In the words of David Cuddy, a Microsoft spokesperson:
“We’re aware of the potential for abuse, which is why we’ve taken both public and confidential measures to prevent it. We continuously review participants and take action if we detect violations.”
Learn more: What is Incident Response in Cybersecurity?
Microsoft didn’t directly accuse the Chinese government, but clearly linked the attacks to state-sponsored groups. Predictably, Beijing denied involvement, stating that China "opposes and combats cybercrime in accordance with the law."
This kind of back-and-forth is becoming more common. Cybersecurity is now a geopolitical flashpoint, and tech giants like Microsoft are caught in the middle.
What does this mean for your business? That even if you're a small or medium-sized company, using widely adopted software puts you on the radar of attackers.
This case offers several critical takeaways:
At TecnetOne, we know stories like this may feel distant—but they impact your daily operations. Here’s how to respond:
Don’t wait for patches. Inventory your assets, prioritize critical systems, and patch as soon as updates are available.
If a new “ToolShell” attack hit tomorrow, how would your team react? Practice your response plan before it’s needed.
Most breaches start with valid credentials. Use Identity and Access Management (IAM) tools to detect anomalies and reduce attack surfaces.
Don’t rely solely on vendor updates. Use real-time threat feeds to stay ahead of campaigns like those run by Linen Typhoon or Violet Typhoon.
Third-party risks are your risks. Audit which vendors access your systems and how they secure sensitive information.
The Microsoft–China-linked attacks aren’t an isolated event. They’re part of a growing trend in cybersecurity: faster, more aggressive, and deeply entangled with geopolitics.
At TecnetOne, we believe the most important lesson is this:
You can’t control what tech giants or governments do—but you can control how prepared and resilient your business is.
Keeping systems updated, securing identities, and having a tested incident response plan isn’t optional. It’s what will keep your business running, even during the next digital storm.