Overview
- Microsoft publicly attributed coordinated intrusions beginning July 7 to three Chinese-affiliated networks—Linen Typhoon, Violent Typhoon and Storm-2603
- Attackers leveraged a zero-day ToolShell vulnerability in on-premises SharePoint servers to bypass authentication and access systems as legitimate users
- Emergency updates apply only to on-premises SharePoint deployments while cloud-based instances remain unaffected by the campaign
- China’s government rejected the allegations as unfounded even as Google confirmed increased interest in the vulnerability from Chinese-linked groups
- The company pledged to roll out continuous security updates to strengthen defenses against anticipated future intrusions