Full Report
Microsoft said previously known Chinese nation-state operations that it tracks as Linen Typhoon and Violet Typhoon — as well as a third, less-known group — were among those exploiting serious bugs in SharePoint server software.
Analysis Summary
# Threat Actor: Linen Typhoon (APT27 / UNC215 / Red Phoenix)
## Attribution & Identity
China-based nation-state threat group.
**Known Aliases:** APT27, UNC215, Red Phoenix.
## Activity Summary
Actively exploiting recently disclosed vulnerabilities in on-premises SharePoint servers (CVE-2025-49706 and CVE-2025-49704) since at least July 7th to gain initial access. This ongoing campaign impacts governments, large corporations, and universities.
## Tactics, Techniques & Procedures
- Exploiting public-facing vulnerabilities in software (SharePoint).
- Relying on existing exploits for compromise.
- Gaining initial access via CVE-2025-49706 and CVE-2025-49704.
- Potentially leveraging bypasses related to CVE-2025-49706 and CVE-2025-49704 (CVE-2025-53770 and CVE-2025-53771).
- Stealing intellectual property.
- Gaining a long-term foothold.
- Exfiltrating data.
- Stealing cryptographic keys, potentially allowing persistence even after patching.
## Targeting
- **Sectors:** Government organizations, defense companies, human rights groups.
- **Geography:** Implied global targeting given the focus on SharePoint, with observed activity affecting various sensitive entities.
- **Victims:** Governments, large corporations, universities.
## Tools & Infrastructure
*No specific malware or infrastructure details mentioned in connection with Linen Typhoon's current exploitation.*
## Implications
Linen Typhoon is linked to persistent, long-term espionage activities (active since 2012). The exploitation of SharePoint vulnerabilities, combined with the theft of cryptographic keys, suggests a serious risk of long-term, undetected access to compromised networks, mirroring past major breaches like the 2021 Exchange compromise.
## Mitigations
- Immediately install security updates released for all supported on-premises SharePoint Server versions.
- Change cryptographic keys following compromise, as attackers may retain access via stolen keys even after patching the underlying vulnerability.
---
# Threat Actor: Violet Typhoon (APT31)
## Attribution & Identity
China-based nation-state threat group dedicated to espionage.
**Known Aliases:** APT31.
## Activity Summary
Actively exploiting recently disclosed vulnerabilities in on-premises SharePoint servers (CVE-2025-49706 and CVE-2025-49704) since at least July 7th to gain initial access. The group scans the internet specifically for exposed web infrastructure vulnerabilities to exploit.
## Tactics, Techniques & Procedures
- Scanning the internet for vulnerabilities in exposed web infrastructure.
- Exploiting newly disclosed bugs (CVE-2025-49706 and CVE-2025-49704) to gain access.
- Installing tools to achieve further access post-exploitation.
- Espionage operations.
## Targeting
- **Sectors:** Government officials, military personnel, think tanks, educational organizations, media companies, and the health sector.
- **Geography:** U.S., Europe, and East Asia.
- **Victims:** Government agencies, defense sector, think tanks, academia, media, healthcare.
## Tools & Infrastructure
*No specific malware or infrastructure details mentioned in connection with Violet Typhoon's current exploitation.*
## Implications
Violet Typhoon is a dedicated espionage actor prioritizing the compromise of strategic targets across government and key infrastructure sectors globally. Their proactive scanning for vulnerable infrastructure suggests continuous efforts to build access pipelines.
## Mitigations
- Immediately install security updates released for all supported on-premises SharePoint Server versions.
- Prioritize patching publicly exposed web infrastructure components.
---
# Threat Actor: Unidentified China-Based Group
## Attribution & Identity
A third China-based threat group identified by Microsoft as actively exploiting the SharePoint vulnerabilities, distinct from Linen Typhoon and Violet Typhoon.
## Activity Summary
Actively exploiting CVE-2025-49706 and CVE-2025-49704 against on-premises SharePoint servers since at least July 7th.
## Tactics, Techniques & Procedures
- Exploiting CVE-2025-49706 and CVE-2025-49704.
- Historically associated with deploying ransomware strains.
## Targeting
Victim sectors/geography are currently unknown, but their history suggests potential secondary targeting for financial gain alongside espionage.
## Tools & Infrastructure
Historically used the **Warlock** and **Lockbit** ransomware strains.
## Implications
The involvement of a third actor, potentially linked to ransomware operations, indicates that the vulnerability is being leveraged by groups with diverse motivations, increasing the likelihood of widespread exploitation and damage beyond pure espionage.
## Mitigations
- Immediately install security updates released for all supported on-premises SharePoint Server versions.
- Organizations must assume compromise, especially given the dual threat of espionage and potential ransomware deployment.