Waves of cyberattacks are hitting a commonly used Microsoft product, compromising dozens of organizations around the world.

The hackers exploited a vulnerability in Microsoft SharePoint, an internet-based app primarily used by government agencies and private companies for internal documents and records. The company alerted customers to the problem on Saturday, and on Sunday issued guidance on how to fix it.

The Cybersecurity and Infrastructure Security Agency, a branch of the U.S. Department of Homeland Security, said Sunday that it's still assessing the scope of the attacks.

CISA was made aware of the exploitation by a trusted partner and we reached out to Microsoft immediately to take action," Chris Butera, CISA acting executive assistant director for cybersecurity, said in a statement. "Microsoft is responding quickly, and we are working with the company to help notify potentially impacted entities about recommended mitigations."

Cybersecurity company Eye Security scanned more than 8,000 SharePoint servers worldwide and found that dozens of organizations were compromised during attacks from Friday through Monday. Eye Security said it discovered the attacks.

Microsoft and cybersecurity experts said customers who use SharePoint through a cloud-based server aren't at risk. It's organizations that use their own, on-premises servers for SharePoint are vulnerable. That likely includes government agencies, schools, hospitals and large companies.

Eye Security and Microsoft urged customers to follow Microsoft's guidance for mitigating exposure from hackers floating into a network and stealing data. In other intrusions, hackers have stolen identifying information of customers as well as intellectual property and internal communications.

"The risk is not theoretical," Eye Security said in a blog post.

The vulnerability in the system is referred to as a "zero-day" exploit, which means it's a flaw that the company wasn't aware of. Therefore, the company's security team had zero days to prepare a patch or fix.

CISA said malicious hackers are able to manipulate code within an organization's SharePoint network if they gain access.

Microsoft labeled the severity of the flaw as critical, the most serious designation in its security guide. Unit 42, a team of cyber threat researchers with Palo Alto Networks, said it was a severe and urgent threat.

Michael Sikorski, chief technical officer for Unit 42, said in a statement that attackers are bypassing passwords and other security measures in SharePoint to gain access to sensitive data and establish footholds. They're able to create backdoors into networks that survive reboots and updates.

"If you have SharePoint (on-premises) exposed to the internet, you should assume that you have been compromised at this point," he said. "Patching alone is insufficient to fully evict the threat."

SharePoint is deeply connected with Microsoft's suite of products, including services like Outlook and Teams, which makes the attacks especially concerning, according to Sikorski.

"A compromise doesn’t stay contained — it opens the door to the entire network, he said.

In a threat brief on Monday, Palo Alto Networks recommended customers to follow Microsoft's guidance.

The attacks come four months after researchers at cybersecurity company Trend Micro reported another zero-day exploit at Microsoft. In that case, state-sponsored attackers from North Korea, Iran, Russia and China were able to manipulate a flaw in shortcut links on Windows to steal data and cryptocurrency.

©2025 The Seattle Times. Visit seattletimes.com. Distributed by Tribune Content Agency, LLC.