The great SharePoint abandonment
How Microsoft's cloud gold rush left government agencies defenceless
The email arrived at 3:47 AM on a Sunday morning, jarring a state IT administrator from sleep with the kind of alert that turns weekend plans into crisis management. Their SharePoint server—the digital repository that housed thousands of documents explaining how local government worked—had been "hijacked." Budget reports, meeting minutes, policy explanations: all gone. Citizens trying to understand their government's operations now encountered blank screens.
"We will need to make these documents available again in a different repository," the official told me, speaking on condition of anonymity about a crisis that exposed just how vulnerable democratic transparency had become in the digital age.
What happened next reveals a brutal truth about enterprise technology: when vendor profits and customer security needs diverge, it's citizens, students, and employees who pay the price. The SharePoint attack wasn't just another cybersecurity incident—it was the predictable consequence of Microsoft's cloud-first business strategy systematically abandoning customers who can't or won't migrate to subscription services.
Within seventy-two hours of security researchers publishing a proof-of-concept demonstration, sophisticated threat actors had weaponised what Microsoft calls the "ToolShell" exploit to infiltrate at least 85 servers across 29 organisations. Government agencies, universities, energy companies, and multinational corporations fell victim not to some unprecedented attack, but to the logical endpoint of misaligned economic incentives.
The proof-of-concept paradox
The attack began with the best of intentions. In May 2025, researchers from Viettel Cyber Security demonstrated vulnerabilities at the Pwn2Own hacking contest in Berlin, showing how two SharePoint flaws could be chained together for remote code execution. Microsoft dutifully patched these vulnerabilities in their July security update, case closed.
But CODE WHITE GmbH researchers made a fateful decision. On July 14, apparently unaware of the Pandora's Box they were opening, they posted screenshots on social media proving they had successfully rebuilt the attack. No code, no technical details—just enough proof to light the fuse.
Four days later, Eye Security's monitoring systems detected automated attacks sweeping through SharePoint servers worldwide. The proof-of-concept had become a weapon.
"This incident reveals a growing pattern: partial technical disclosures are sufficient for sophisticated adversaries to reconstruct and launch targeted exploits," observed Sanchit Vir Gogia, chief analyst at Greyhound Research. The implication is chilling—security research intended to improve defences can inadvertently provide attack blueprints to malicious actors operating at unprecedented speed.
Microsoft's incomplete defence
The ToolShell attack exposes a fundamental flaw in how Microsoft approaches cybersecurity: the company treats vulnerabilities as isolated technical problems rather than components of broader attack systems. When researchers demonstrated that CVE-2025-49706 (an authentication bypass) could be chained with CVE-2025-49704 (code injection) for remote access, Microsoft patched each vulnerability separately without addressing the underlying exploit chain.
This piecemeal approach left SharePoint customers vulnerable to what security experts call "variant attacks"—new vulnerabilities that exploit the same underlying weaknesses that original patches failed to comprehensively address. The July patches blocked the specific attack vectors demonstrated at Pwn2Own but left the door open for the authentication bypass techniques that enabled ToolShell.
"While Microsoft issued individual patches for CVE-2025-49706 and CVE-2025-49704, they failed to patch the exploit chain fully, leaving a variant (now CVE-2025-53770) unaddressed," explained Sunil Varkey, advisor at Beagle Security. "In cybersecurity, a single vulnerability can pose a significant risk, but when vulnerabilities are combined, the consequences can be catastrophic."
The pattern isn't new. The Cybersecurity and Infrastructure Security Agency has repeatedly criticised Microsoft for issuing fixes that are "too narrowly designed and leave similar avenues open to attack." The 2021 Hafnium attacks compromised over 60,000 Exchange servers globally using similar chaining techniques that Microsoft's initial patches failed to prevent. A 2023 Chinese infiltration of Microsoft's cloud systems exposed federal officials' email accounts despite multiple previous security upgrades.
Each incident follows a familiar trajectory: sophisticated attackers discover vulnerability chains, Microsoft responds with targeted patches that address specific attack vectors but miss underlying systemic weaknesses, and new variants emerge that exploit the same fundamental flaws through different technical approaches.
The cloud economics behind security neglect
Follow the money, and Microsoft's security failures make perfect sense. The company generated $69.2 billion from Productivity and Business Processes in 2023—recurring cloud subscriptions that shareholders adore. On-premises SharePoint tells a different financial story: complex one-time sales, expensive support costs, and customers Microsoft desperately wants to abandon.
The economic logic is perverse. Cloud subscribers paying $5-12.50 per user monthly benefit from Microsoft's platform-wide security investments. On-premises customers who invest tens of thousands in hardware and licensing receive what amounts to legacy support—despite paying premium prices for software that becomes progressively less secure as vendor attention shifts to cloud profits.
Consider the numbers: 86% of SharePoint users have migrated to cloud deployments, leaving 14% maintaining on-premises infrastructure for compliance, security, or integration requirements. These holdout organisations face a cruel irony—the same regulatory and security concerns that mandate on-premises deployment also make them dependent on vendors increasingly focused on cloud revenue.
The ToolShell attack crystallises this dynamic. Microsoft's emergency patches arrived piecemeal across different SharePoint versions, with SharePoint 2016 customers waiting days longer than cloud subscribers for protection. The company's initial response advised customers to "simply unplug SharePoint server programs from the internet"—a solution that renders collaboration software useless but demonstrates Microsoft's assumption that on-premises customers should migrate to cloud services rather than expect robust legacy support.
Authentication's betrayal
The ToolShell attack achieved something more sinister than mere unauthorised access—it subverted trust itself. While traditional cyberattacks break down doors or exploit software bugs, this technique targeted SharePoint's authentication infrastructure, stealing the cryptographic keys that verify legitimate users.
Think of these keys as the master stamps that SharePoint uses to validate every user session. With stolen ValidationKeys and DecryptionKeys, attackers can forge authentication tokens indistinguishable from legitimate ones. They don't need to bypass security—they can impersonate SharePoint itself.
"With these keys in hand, attackers can craft forged authentication tokens that SharePoint will accept as valid," explains Benjamin Harris, CEO of watchTowr. Security monitoring systems cannot detect such forgeries because, from the system's perspective, stolen credentials appear completely authentic.
This represents "infrastructure betrayal"—attacks that exploit the fundamental trust mechanisms that all other security measures depend upon. Even after patching the original vulnerability, organisations must rotate cryptographic keys and rebuild authentication systems—complex surgery that many lack the expertise to perform safely.
The implications extend far beyond SharePoint. Most enterprise applications rely on similar cryptographic signing mechanisms for session management, single sign-on integration, and API authentication. The ToolShell technique demonstrates how sophisticated attackers can target authentication infrastructure itself, potentially rendering traditional security monitoring and access controls ineffective.
The human cost of hybrid cloud failure
Behind the technical analysis lie real organisations struggling with the practical consequences of infrastructure betrayal. The anonymous state official whose document repository was "hijacked" represents thousands of public servants, university administrators, and corporate IT managers caught between Microsoft's cloud-first business strategy and their organisations' on-premises requirements.
At least two U.S. federal agencies saw their SharePoint servers compromised, according to researchers bound by confidentiality agreements that prevent them from naming specific targets. Universities found course materials and research collaboration tools offline during summer session planning. Energy companies faced potential disruption to operational technology integration that relies on SharePoint for document management and workflow coordination.
The attack's timing—weekend exploitation during July vacation season—magnified the impact. Arizona cybersecurity officials convened emergency meetings with state, local, and tribal agencies to assess vulnerabilities, with one participant describing "definitely a mad scramble across the nation right now." The Center for Internet Security, which coordinates threat response for state and local governments, needed six hours to notify just 100 vulnerable organisations—a process that normally takes much less time but was delayed because CISA had cut threat-intelligence and incident-response teams by 65% due to budget constraints.
European victims faced similar challenges. Security researchers identified compromised systems at government agencies in Spain, local authorities in Albuquerque, and universities in Brazil. Eye Security, the Dutch firm that first identified the mass exploitation campaign, found themselves racing to notify more than 50 compromised organisations across multiple continents while attack waves continued every few hours.
The new cybersecurity event horizon
The ToolShell attack represents a fundamental shift in cybersecurity dynamics that goes far beyond SharePoint vulnerabilities. The compression of the timeline from proof-of-concept demonstration to mass exploitation—just seventy-two hours—suggests we have crossed what might be called the "cybersecurity event horizon," the point beyond which traditional security response cycles become inadequate.
Research by RAND Corporation indicates that zero-day vulnerabilities historically remain exploitable for an average of 6.9 years, though those purchased from third parties typically remain usable for only 1.4 years. But the ToolShell timeline suggests a new category of "proof-of-concept zero-days" that sophisticated adversaries can weaponise within days of partial technical disclosure.
This acceleration has profound implications for enterprise security strategies. Monthly or quarterly patch management cycles assume organisations have weeks or months to assess, test, and deploy security updates. But when attacks emerge within hours of partial disclosure, traditional risk management frameworks collapse.
"Security response must now encompass live detection of anomalous access patterns, automated secret rotation, and continuous exploit monitoring," advises Gogia. "Treating CVE notifications as passive inputs is no longer acceptable. Organisations must activate threat response the moment exploit potential becomes visible in the ecosystem."
The challenge is particularly acute for government agencies and critical infrastructure operators who cannot simply disconnect systems during attack windows. The CISA mandate requiring federal agencies to implement SharePoint mitigations within 24 hours—despite incomplete patches—illustrates the impossible position that accelerated attack timelines create for complex organisations.
Looking forward: the infrastructure reckoning
The SharePoint crisis forces a broader reckoning with enterprise IT strategy that extends far beyond Microsoft or collaboration platforms. As cloud vendors consolidate market power and focus investment on recurring subscription revenue, organisations maintaining on-premises infrastructure for legitimate compliance, security, or integration requirements face systematic abandonment.
This dynamic will likely accelerate regardless of customer preferences. The economics of cloud computing create powerful incentives for vendors to deprecate on-premises support, while the accelerating pace of cybersecurity threats makes legacy infrastructure increasingly indefensible. Organisations may find themselves forced to choose between cloud migration and digital isolation.
The hidden costs of this transition remain poorly understood. Cloud migration promises simplified security management, but also creates new dependencies on vendor security practices and geographic regulatory compliance. For government agencies handling classified information, critical infrastructure operators with air-gapped requirements, or organisations subject to data sovereignty restrictions, cloud migration may not be feasible regardless of cybersecurity pressures.
Meanwhile, the cybersecurity implications of the seventy-two-hour event horizon will reshape how organisations think about risk management. The traditional model of vulnerability assessment, patch testing, and scheduled deployment assumes time that sophisticated adversaries no longer provide. Future security strategies must account for continuous threat response, automated defense systems, and the acceptance that perfect security is impossible in accelerated attack timelines.
The great SharePoint abandonment may mark the beginning of a broader infrastructure transition that will define enterprise computing for the next decade. As cloud economics drive vendor behaviour and attack timelines compress, organisations face stark choices about digital sovereignty, security dependencies, and the acceptable costs of infrastructure independence.
For the state administrator rebuilding their document repository at 4 AM on a Sunday, these strategic considerations matter less than immediate reality: democracy's digital infrastructure failed because vendor profits mattered more than customer security.
But their experience—multiplied across dozens of government agencies, universities, and critical infrastructure operators—illuminates a fundamental shift in enterprise technology. The great SharePoint abandonment isn't just about one attack or one company. It's about what happens when subscription economics collide with institutional requirements for digital sovereignty.
The seventy-two-hour timeline from proof-of-concept to mass exploitation has established a new cybersecurity reality. Traditional security cycles can't keep pace with adversaries operating at internet speed. The question isn't whether this dynamic will continue, but whether organisations will adapt quickly enough to preserve some measure of technological independence in an age of cloud consolidation.
The documents will be restored, servers will be rebuilt, patches will be deployed. But the underlying economic forces that made this attack inevitable remain unchanged. Until customers and policymakers reckon with the true costs of cloud dependency, more 4 AM crisis calls await. The great abandonment has only just begun.