Microsoft's Cybersecurity Crackdown is Here: A Response to Beijing-Linked Breaches
Microsoft's web-based collaboration tool, SharePoint, was targeted by several high-profile attacks last month, forcing the company to issue emergency patches to clear up the issues. The attacks, which targeted US federal and state agencies, universities, and energy companies, including the National Nuclear Security Administration in the US, have raised concerns about the role of Beijing-linked breaches.
Following an investigation into the root of the two zero-day vulnerabilities, Microsoft announced on August 20 that it had reduced access to its Microsoft Active Protections Program (MAPP) for some Chinese companies. MAPP is a system that shares early vulnerability information with Microsoft's partners, allowing them to deploy proper protection through security updates.
According to David Cuddy, a Microsoft spokesperson speaking to Bloomberg, the new limitations to MAPP will apply to "countries where they're required to report vulnerabilities to their governments." That, of course, includes China. The company has placed at least part of the blame on Beijing for the SharePoint attacks, which began as early as June 24, 2025.
Microsoft's Threat Intelligence division published a report detailing the CVE-2025-53770 and CVE-2025-53771 vulnerabilities, in which it was observed that "two Chinese nation-state actors, Linen Typhoon and Violet Typhoon," were the ones exploiting vulnerabilities with SharePoint servers. A third China-based bad actor, which Microsoft tracked as Storm-2603, was deploying ransomware through the same vulnerabilities.
Beijing has denied any complicity in these SharePoint exploits. However, the rate at which these vulnerabilities against unpatched systems were exploited caused Microsoft to look into MAPP to discover any leaks or rogue members. It evidently found some, and some significant changes are coming to how MAPP operates.
"We're not going to offer proof of concept code" to certain MAPP members affected by the change, including those in China. In this case, proof of concept code is essentially designed to mimic or demonstrate how malicious software operates. It's typically used to patch security, but it can also be hijacked by bad actors to get ahead of security updates.
"We'll provide a more general written description" of vulnerabilities at the same time as security patches for the issues, rather than offering proof of concept code. We're aware of the potential for this to be abused, which is why we take steps – both known and confidential – to prevent misuse.
Microsoft continuously reviews participants and suspends or removes them if they violate their contract with us, which includes a prohibition on participating in offensive attacks. A spokesperson from the Chinese embassy in Washington quoted in the Bloomberg report as saying that they were not familiar with the security report's details, noting that China "opposes and fights hacking activities in accordance with the law."
"At the same time, we oppose smears and attacks against China under the excuse of cybersecurity issues," the spokesperson added. This isn't the first time that MAPP has come under fire for vulnerability leaks related to China.
In 2012, Microsoft blamed MAPP member Hangzhou DPTech Technologies for an NDA breach that let slip a major Windows exploit. In 2021, an attack on Microsoft Exchange servers was also blamed on leaks from MAPP participants, with Microsoft focusing on at least two Chinese companies for exploiting the vulnerabilities.
The attacks ultimately led to the Chinese state-sponsored hacker group Hafnium wreaking havoc on Windows defenses for years. It also led to Microsoft considering potential changes to MAPP, including how much critical intelligence the company shared with partners in certain countries.
Details of the Recent SharePoint "ToolShell" Attack
The SharePoint attack that kicked off the most recent changes to MAPP involved two zero-day attacks. "Zero-day" refers to previously unknown vulnerabilities that are attacked. While the attack didn't put cloud servers at risk, tens of thousands of on-premise servers were affected.
The attacks, which targeted vulnerabilities identified as CVE-2025-53770 and CVE-2025-53771, were nicknamed "ToolShell," and they were, for a time, being actively exploited by bad actors. As Director of Threat Intelligence at Check Point Research, Lotem Finkelstein, stated at the time of the attacks: "We're witnessing an urgent and active threat: a critical zero-day in SharePoint on-prem is being exploited in the wild, putting thousands of global organizations at risk."
Cale Hunt brings to Windows Central more than nine years of experience writing about laptops, PCs, accessories, games, and beyond. If it runs Windows or in some way complements the hardware, there's a good chance he knows about it, has written about it, or is already busy testing it.