The Microsoft SharePoint Cyberattack Indicates New Hacking Tactics

Considering the Major Chinese Cyberattacks of the Last Seven Months

Rolling over in the middle of the night to a buzzing phone that already contains multiple missed calls and text messages is an awful feeling. Trying to decipher the cause of the issue with bleary eyes opened just moments after the end of a REM cycle is true mental gymnastics. Your brain will try to tell you that everything is fine or that someone else has this one or it does not fall within your scope. It’s a very fast cycle through the stages of grief until you arrive at acceptance. Something is wrong and I must get out of bed.

Such was the likely experience of CISOs on the weekend of July 18-20, 2025 as news broke of the Microsoft SharePoint breach. This latest cyber incident impacted on-premise SharePoint servers, the kind of configuration used by organizations trying to protect their data by keeping it out of multi-tenant cloud architectures. Those CISOs probably had a hunch regarding what was going on and who was responsible. Given recent events, it would have been entirely reasonable to assume Chinese-backed cyber actors were responsible for the incident.

In the days that followed, analysts at Microsoft and other firms would continue to pick apart the incident and provide initial assessments of the involvement of three Chinese-backed hacker groups as culprits. They provided attribution, a move right out of the cyber incident response playbook. As attribution techniques have improved, hacker groups are growing less concerned with being “named and shamed” and more concerned with obfuscating the true target of their activities. The SharePoint breach combined with other recent Chinese-sponsored cyber events indicate a potential switch precision targeted cyberattacks to large, noisy attacks that hide the true target(s) of the event. This incident might be an early indicator of a change in approach to cyberattacks that defenders should heed.