Microsoft Corp. is currently reviewing a potential leak from its early alert system for cybersecurity firms, which may have permitted Chinese hackers to exploit vulnerabilities in its SharePoint service prior to the application of patches, according to sources familiar with the situation.
The tech giant is investigating whether its program, created to enable cybersecurity professionals to rectify system flaws before new security issues are disclosed, contributed to the widespread exploitation of weaknesses in its SharePoint software in recent days. The individuals, who requested anonymity due to the sensitive nature of the issue, indicated that the probe is ongoing.
In a statement, a Microsoft spokesperson acknowledged the event, stating, “As part of our standard process, we’ll review this incident, find areas to improve, and apply those improvements broadly.” The spokesperson emphasized that collaboration with partner programs plays a critical role in Microsoft’s security approach.
The Chinese embassy in Washington highlighted remarks by Guo Jiakun, a spokesperson for the foreign affairs ministry, opposing all forms of cyberattacks. Guo stated, “Cybersecurity is a common challenge faced by all countries and should be addressed jointly through dialogue and cooperation. China opposes and fights hacking activities in accordance with the law. At the same time, we oppose smears and attacks against China under the excuse of cybersecurity issues.”
Microsoft has identified state-sponsored hackers from China as the culprits behind the breaches of SharePoint. Furthermore, at least a dozen Chinese companies are involved in the Microsoft Active Protections Program (MAPP), which is detailed on Microsoft’s website. To join the 17-year-old initiative, participants must prove their status as cybersecurity vendors and refrain from producing hacking tools. After entering into a non-disclosure agreement, they are granted access to information regarding new patches to vulnerabilities 24 hours prior to public release. A select group of highly vetted members receive notifications five days ahead.
Dustin Childs, head of threat awareness at cybersecurity firm Trend Micro, confirmed that MAPP members had been informed of the vulnerabilities linked to the SharePoint attacks. “These two bugs were included in the MAPP release,” he mentioned, recognizing the possibility of a leak. Childs underscored that such a scenario would pose a serious risk to the program, though he still sees considerable value in MAPP.
The number of victims impacted by these cyberattacks now exceeds 400, spanning various government entities and corporations across the globe. This includes the U.S. National Nuclear Security Administration, which is responsible for the management of the nation’s nuclear arsenal. Microsoft has attributed some attacks to state-sponsored groups such as Linen Typhoon, Violet Typhoon, and another group it refers to as Storm-2603. The Chinese embassy has denied the allegations while also disputing “smearing” accusations without solid evidence.
Dinh Ho Anh Khoa, a researcher at the Vietnamese cybersecurity firm Viettel, highlighted the existence of unknown vulnerabilities in SharePoint as early as May during the Pwn2Own conference in Berlin, where hackers demonstrate security flaws. Following the demonstration, Khoa, along with Childs and a Microsoft representative, engaged in a discussion about the exploit, culminating in the submission of a detailed white paper. Microsoft validated the findings and promptly began developing a fix, for which Khoa was rewarded with $100,000.
It took approximately 60 days for Microsoft to devise a solution. However, prior to the public patch release on July 7, cybersecurity experts reported that hackers had already begun targeting SharePoint servers.
Experts suggest that it is feasible that the hackers independently discovered the vulnerabilities and started exploiting them the same day Microsoft shared them with MAPP participants, though they acknowledge this would be a remarkable coincidence. Another likely scenario is that someone shared the patch details with the attackers.
A leak concerning an impending patch would signify a major lapse in security protocols, but experts only noted that such incidents have occurred in the past. Jim Walter, a senior threat researcher at SentinelOne, remarked on similar situations where MAPP was believed to have experienced breaches.
The MAPP program has faced scrutiny previously, for instance in 2012 when Microsoft accused the Hangzhou DPtech Technologies Co., a Chinese network security firm, of disclosing sensitive information that made a major Windows vulnerability known. As a consequence, Hangzhou DPtech was expelled from MAPP. Microsoft stated at the time that measures were taken to enhance existing controls and secure information more effectively.
In 2021, Microsoft suspected two other Chinese MAPP partners of leaking vulnerability information related to its Exchange servers, which led to a global hacking incident attributed to a Chinese espionage group named Hafnium. This event was among the most significant breaches for Microsoft, impacting tens of thousands of Exchange servers worldwide, including those at the European Banking Authority and the Norwegian Parliament.
Following this incident, Microsoft contemplated revising the MAPP program; however, it did not disclose whether any changes were implemented or if any leaks were confirmed.
Under a 2021 Chinese law, any organization or researcher that identifies a security vulnerability must report it within 48 hours to the Ministry of Industry and Information Technology. Some Chinese firms still participating in MAPP, such as Beijing CyberKunlun Technology Co Ltd., are also part of a Chinese government vulnerability program, the China National Vulnerability Database, administered by the Ministry of State Security.
Eugenio Benincasa, a researcher at ETH Zurich’s Center for Security Studies, highlighted concerns over the lack of transparency regarding how Chinese firms balance their responsibilities for protecting vulnerabilities shared by Microsoft against obligations to report such information to the Chinese government. “We know that some of these companies collaborate with state security agencies and that the vulnerability management system is highly centralized. This issue definitely merits closer examination,” Benincasa stated.
© 2025 Bloomberg LP
