Microsoft confirmed on Tuesday that three China-linked hacking groups exploited previously unknown vulnerabilities in its SharePoint software, compromising dozens of organizations worldwide including multiple U.S. federal agencies.
The breach marks one of the most significant cybersecurity incidents of President Donald Trump’s second term.
According to Microsoft’s security blog, groups identified as Violet Typhoon, Linen Typhoon, and Storm-2603 targeted on-premises SharePoint servers, enabling unauthorized network access. Two U.S. officials familiar with the investigation confirmed at least four federal agencies were breached, with roughly 100 global entities affected. Private cybersecurity firms Mandiant and Censys corroborated the scale, warning thousands more systems remain vulnerable.
The U.S. government has not formally attributed the attacks to China. Microsoft stated it is “coordinating closely” with the Cybersecurity and Infrastructure Security Agency (CISA) and Department of Defense Cyber Command, while offering partial mitigations for the flaws. Charles Carmakal, Mandiant’s CTO, warned that “multiple actors are now actively exploiting this vulnerability,” urging immediate patching.
This incident revives scrutiny of Microsoft’s security practices following 2023 breaches where Chinese hackers stole U.S. officials’ emails. Senator Ron Wyden (D-Ore.) criticized the company, noting agencies “depend on a company that doesn’t care about security” despite selling cybersecurity services. The House Homeland Security Committee has requested briefings on Microsoft’s use of China-based engineers for U.S. government systems.
Microsoft’s latest breach underscores persistent vulnerabilities in critical infrastructure, with lawmakers demanding stronger oversight as geopolitical cyber threats escalate.


