Microsoft is scrambling to patch its SharePoint collaboration and document management platform following the discovery of a critical zero-day exploit(new window) that has already been weaponized(new window) to target hundreds of servers across government agencies, universities, energy operators, and private-sector organizations in the US, Europe, and Asia.
What happened?
SharePoint is a web application from Microsoft that’s used for sharing files and building self-contained computer networks (intranets). Importantly in the context of this data breach, SharePoint can be hosted either on premises (on an organization’s local servers) or as a Microsoft 365 hosted service.
Starting on July 18, 2025, attackers began to exploit a chain of critical vulnerabilities(new window) that allow unauthenticated arbitrary code execution(new window) and privilege escalation(new window) to access the on‑premises SharePoint Server (versions 2016, 2019, and Subscription Edition) software. Instances of SharePoint running on Microsoft 365 servers are unaffected.
Collectively, the vulnerabilities are known as ToolShell(new window) because they exploit ToolPane.aspx, a component for assembling the side panel view in the SharePoint user interface.
Why is ToolShell dangerous?
These exploits allow attackers to access some of the most sensitive parts of a self-hosted SharePoint server. From there, they can:
- Exfiltrate (steal) sensitive data, including the keys used to encrypt session tokens and cookies. With these keys, attackers can forge authentication tokens and stay inside the network — even after it has been patched or updated (presumably, this doesn’t apply to Microsoft’s latest “comprehensive” patches(new window), which are specifically designed to address these vulnerabilities).
- Install backdoors that allow them to easily re-enter the system at any point in the future.
- Spread across a company’s systems — by using stolen credentials or forged tokens, the attacker can move deeper into the victim’s internal systems and SharePoint environment. This is known as lateral movement.
- Install ransomware — ToolShell has (new window)alread(new window)y been used to deploy ransomware such Warlock(new window) and Lockbit(new window) on compromised systems.
ToolShell is worryingly hard to detect: It uses standard SharePoint pages (/_layouts/ToolPane.aspx), doesn’t require an attacker to log in to SharePoint, leaves minimal traces on the infected system, and often encrypts the payloads. A company might have hackers lurking in their network, stealing customer data or trade secrets, and never know it.
Who has been impacted?
Hundreds(new window) of companies and organizations around the world have been compromised by ToolShell. Notable victims include multiple US federal agencies and critical infrastructure providers:
- National Nuclear Security Administration (NNSA) – The breach(new window) impacted few systems and did not involve classified data.
- National Institutes of Health (NIH) – At least one SharePoint server was breached and later isolated(new window). There was no evidence of data exfiltration.
- Department of Health and Human Services (HHS) and Department of Homeland Security (DHS) – Both agencies experienced confirmed breaches(new window) through the ToolShell chain, though no sensitive data loss has been reported.
- California Independent System Operator (CAISO) – The operator of California’s electric grid was breached(new window), but grid operations remained unaffected.
Who is responsible?
According to Microsoft, two Chinese state-sponsored hacking groups(new window) (Linen Typhoon and Violet Typhoon), plus the (non-state sponsored) Chinese hacking group Storm-2603, were responsible for the initial attacks on SharePoint systems.
However, the notable acceleration of attacks(new window) through July 18–24 strongly suggests use of the exploits has spread throughout the global hacking community.
How to respond and mitigate against ToolShell
Microsoft has now released comprehensive security updates(new window) for supported versions of SharePoint Server (Subscription Edition, 2019, and 2016) to address these vulnerabilities. If you are an on-premises SharePoint administrator, we strongly recommend that you apply these updates immediately.
Microsoft also recommends turning on the Antimalware Scan Interface (AMSI) using Full Mode(new window), and deploying anti-malware software. If you’re using an unsupported version of SharePoint, you should air-gap your servers (that is, disconnect them from the internet) until a patch becomes available.
Can using Proton help?
Using Proton products can’t stop hackers from compromising your self-hosted SharePoint server, but they can help mitigate against some the damage if your organization is attacked.
Proton Pass
Our end-to-end encrypted (E2EE) password manager can help prevent lateral movement by securely storing credentials, API tokens, and service accounts — keeping them off exposed servers and out of the code running on them.
Proton Drive
Similarly, our E2EE cloud storage solution can improve your operational resilience to attacks like ToolShell by keeping your sensitive files and internal documents off compromised infrastructure. Drive provides a highly secure and convenient way to share files among colleagues. When you store files on Proton Drive, no one can access them except you and those you share them with.
Escalating risks for businesses
The ToolShell SharePoint breach is a sobering reminder of the growing sophistication and urgency of threats targeting enterprise infrastructure. By exploiting zero-day vulnerabilities in Microsoft SharePoint, attackers were able to bypass authentication, implant persistent backdoors, and in some cases, steal cryptographic keys that allowed them to silently retain access even after patches were applied.
The scale of the attacks — which have affected hundreds of around the world — and the high-value to the targets, including critical infrastructure and government agencies, underscore how dangerous and far-reaching this exploit chain has been.






