Microsoft's SharePoint, a web-based collaboration tool used by hundreds of millions of professionals, was targeted by several high-profile attacks last month.
These attacks, which targeted US federal and state agencies, universities, and energy companies — including the National Nuclear Security Administration in the US — forced Microsoft to issue emergency patches to clear up the issues.
Following an investigation into the root of the two zero-day vulnerabilities, Microsoft announced on August 20 that it had reduced access to its Microsoft Active Protections Program (MAPP) for some Chinese companies (via Bloomberg).
MAPP, which is led by the Microsoft Security Response Center (MSRC), is a system that shares early vulnerability info with Microsoft's partners, allowing them to deploy proper protection through security updates.
The newfound limitations to MAPP quietly took effect last month. According to David Cuddy, a Microsoft spokesperson speaking to Bloomberg, MAPP's newfound limited access will apply to "countries where they're required to report vulnerabilities to their governments." That, of course, includes China.
Since the SharePoint attacks, which began as early as June 24, 2025, Microsoft has placed at least part of the blame on Beijing.
On July 22, Microsoft's Threat Intelligence division published a report detailing the CVE-2025-53770 and CVE-2025-53771 vulnerabilities, in which it was observed that "two Chinese nation-state actors, Linen Typhoon and Violet Typhoon," were the ones exploiting vulnerabilities with SharePoint servers.
A third China-based bad actor, which Microsoft tracked as Storm-2603, was deploying ransomware through the same vulnerabilities. Beijing has denied any complicity in these SharePoint exploits.
Microsoft's Active Protections Program is tightening its borders
Despite Beijing's denial of involvement in the SharePoint hack, the rate at which these vulnerabilities against unpatched systems were exploited caused Microsoft to look into MAPP to discover any leaks or rogue members.
It evidently found some, and some significant changes are coming to how MAPP operates. According to Microsoft's spokesperson, the company will no longer offer "proof of concept code" to certain MAPP members affected by the change, including those in China.
In this case, proof of concept code is essentially designed to mimic or demonstrate how malicious software operates. It's typically used to patch security, but it can also be hijacked by bad actors to get ahead of security updates. You can see how Microsoft put this process and the early SharePoint attacks together.
Rather than offer proof of concept code to China — which has about a dozen tech and security companies enrolled in MAPP — Microsoft will now provide "a more general written description" of vulnerabilities at the same time as security patches for the issues.
We’re aware of the potential for this to be abused, which is why we take steps – both known and confidential – to prevent misuse. We continuously review participants and suspend or remove them if we find they violated their contract with us, which includes a prohibition on participating in offensive attacks.
David Cuddy, Microsoft spokesperson
A spokesperson from the Chinese embassy in Washington is quoted in the Bloomberg report as saying that they were not familiar with the security report's details, noting that China "opposes and fights hacking activities in accordance with the law." The spokesperson added, "At the same time, we oppose smears and attacks against China under the excuse of cybersecurity issues."
This isn't the first time that MAPP has come under fire for vulnerability leaks related to China. In 2012, Microsoft blamed MAPP member Hangzhou DPTech Technologies for an NDA breach that let slip a major Windows exploit.
In 2021, an attack on Microsoft Exchange servers was also blamed on leaks from MAPP participants, with Microsoft focusing on at least two Chinese companies for exploiting the vulnerabilities.
In a statement to Bloomberg at the time, China's Ministry of Foreign Affairs said, "China resolutely opposes any form of online attacks or infiltration. This is our clear and consistent stance. Relevant Chinese laws on data collection and handling clearly safeguards data security and strongly oppose cyber-attacks and other criminal activity."
These leaks ultimately led to the Chinese state-sponsored hacker group Hafnium wreaking havoc on Windows defenses for years.
It also led to Microsoft considering potential changes to MAPP, including how much critical intelligence the company shared with partners in certain countries. In retrospect, it seems that those changes should have come sooner.
Details of the recent SharePoint "ToolShell" attack
The SharePoint attack that kicked off the most recent changes to MAPP involved two zero-day attacks. "Zero-day" refers to previously unknown vulnerabilities that are attacked.
While the attack didn't put cloud servers at risk, tens of thousands of on-premise servers were affected.
The attacks, which targeted vulnerabilities identified as CVE-2025-53770 and CVE-2025-53771, were nicknamed "ToolShell," and they were, for a time, being actively exploited by bad actors.
As Director of Threat Intelligence at Check Point Research, Lotem Finkelstein, stated at the time of the attacks:
"We’re witnessing an urgent and active threat: a critical zero-day in SharePoint on-prem is being exploited in the wild, putting thousands of global organizations at risk. Our team has confirmed dozens of compromise attempts across government, telecom, and tech sectors since July 7. We strongly urge enterprises to update their security systems immediately — this campaign is both sophisticated and fast-moving.”
