Coordinated Cyber-Espionage Campaign Targets U.S. and German Organizations via SharePoint Zero-Day

A highly coordinated cyber-espionage operation has compromised the networks of nearly 100 organizations in the United States and Germany, exploiting a previously undisclosed vulnerability in Microsoft SharePoint. The flaw, which allowed attackers to implant stealthy backdoors and maintain persistent access, was patched by Microsoft in an out-of-band emergency security update on 21 July 2025.

The campaign, first uncovered by Google’s Mandiant threat intelligence unit, is believed to have been active for several weeks before the vulnerability—now tracked as CVE-2025-35729—was publicly disclosed. According to Mandiant, the attackers leveraged the zero-day to execute code remotely and establish command-and-control channels, often bypassing endpoint detection tools through encrypted traffic and living-off-the-land techniques.

While the full scope of the breach is still being assessed, Mandiant attributes portions of the activity to a threat actor with likely ties to China, citing overlaps in infrastructure, tactics, and tools previously associated with known China-nexus APT groups. “The operational security and precision of the intrusions indicate a well-resourced adversary focused on long-term espionage,” Mandiant noted in its preliminary report.

Victim Profiles and Potential Motives

Though specific victim names have not been publicly confirmed, sources indicate that the affected organizations span sectors including aerospace, finance, healthcare, and critical infrastructure. In both the U.S. and Germany, several victims reportedly had contracts with government agencies or were involved in advanced R&D — potentially making them high-value targets for intelligence gathering.

Security analysts warn that the nature of the exploit — targeting enterprise collaboration tools like SharePoint — reflects a shift toward compromising digital supply chains and productivity platforms that underpin modern remote and hybrid workplaces.

Microsoft and International Response

Microsoft, in its advisory, urged all SharePoint administrators to apply the July 21 patch immediately, warning that the vulnerability is being actively exploited in the wild. The company also issued updated threat hunting guidance to help defenders identify potential signs of compromise, such as anomalous SharePoint API calls and unusual outbound connections from internal servers.

The incident has prompted renewed calls among Western cybersecurity agencies for closer intelligence sharing and a proactive stance on vulnerability disclosure. German and U.S. officials are reportedly in contact to coordinate responses and assess the broader implications of the breach.

Strategic Implications

This campaign underscores the persistent risk posed by well-resourced state-aligned threat actors targeting widely deployed enterprise tools. As geopolitical tensions simmer in cyberspace, experts say such operations are likely to grow more frequent and stealthy.

“The fact that such a critical vulnerability went undetected until active exploitation had already begun is a sobering reminder of the asymmetry defenders face,” said Lena Grossman, senior researcher at the European Cybersecurity Institute. “Public-private coordination, rapid disclosure, and investment in secure development are no longer optional—they’re essential.”