https://research.eye.security/sharepoint-under-siege/
https://krebsonsecurity.com/2025/07/microsoft-fix-targets-at...
https://www.bleepingcomputer.com/news/microsoft/microsoft-re...
https://research.eye.security/sharepoint-under-siege/
https://krebsonsecurity.com/2025/07/microsoft-fix-targets-at...
https://www.bleepingcomputer.com/news/microsoft/microsoft-re...
Probably not since there are so many of these breaches people just ignore them.
I miss the old days when a breach involved someone breaking into the computer room and grabbing as many mag tapes as they can carry and run :)
The reason orgs use Sharepoint is they are forced to if they use Microsoft. One drive is sharepoint, teams is sharepoint, sharepoint sites is sharepoint, etc...
I'm sure all those things have better alternatives, but Microsoft shoves them down your throat when you license with them.
I'm not saying that wouldn't be better, but it makes sense why an org would be reluctant. Again, not a fan of Sharepoint myself, but from an org's viewpoint, moving to Linux raises more problems than it solves.
To some extent I think Microsoft is largely in the business of building solutions for problems that don't exist.
Most orgs are probably perfectly fine with a document management system + desktop word application and then a commercial NAS for bulk storage / backups.
You’ve got it backwards. Everything M365 is an amalgamation of Entra, SharePoint, and Exchange.
We’re on Microsoft 365 and technically fall into the camp of “uses SharePoint”, but only for “shared network folder” usage which OneDrive seamlessly synchronizes should you dislike the web interface. We don’t actively use any other features of it.
Also worth mentioning that realtime collaboration and automatic versioning of Office documents is seamless for files on SharePoint, even if opened on a desktop on a OneDrive synchronized folder.
Files shared over Teams as well as meeting recordings are also stored on SharePoint.
My point is that SharePoint is used a lot but possibly not in the way one might have assumed.
I don’t know if self hosted SharePoint can do all this.
In 50 % of the time.
But SharePoint is the linchpin for Microsoft 365. Well technically SharePoint and Exchange. You can’t use any Microsoft 365 products without SharePoint.
OneDrive uses SharePoint. Outlook Groups and Teams Channels create Microsoft 365 Groups. Every Microsoft 365 Group creates a SharePoint site. Microsoft Loop uses Microsoft SharePoint Embedded.
SharePoint is now a “file and document management system suitable for use in any application”.
So, if you want an alternative to SharePoint you would need an alternative to any M365 Product, including Outlook and OneDrive.
Fun Fact: Teams messages are actually stored via Exchange Mailboxes.
https://learn.microsoft.com/en-us/sharepoint/dev/embedded/ov...
It's just conflating needs. Document editing and file storage are two different tasks. It's weird that people want everything integrated. It's not much effort to just drag and drop a file into G-Drive, OneDrive, Dropbox, box.com...
See, there’s the problem. Once you touch anything M365, you’re using SharePoint.
People see SharePoint as a document collaboration tool. But, in reality, it’s real use is as a data storage platform.
Not if you want to enable multiple users to be live editing the document at the same time.
Of course it's quite a poor replacement but it does exists.
What trapped a lot of orgs is making use of the whole PowerPlatform around sharepoint. There's a lot of crusty old LoB apps built with MS's no code tools (PowerAutomate, PowerApps) which run on SharePoint as the delivery platform. Some of these even hook into Excel files stored in the various document libraries, etc. There are entire, large business processes being handled by this platform, and so migrating will require actual dev time, which automatically makes it a non-starter for most, unfortunately. Doubly so when you consider that a lot of these "solutions" were built by non-devs, long since gone from the company and no one knows how deep the tentacles go.
Granted there are countries that act like a Criminal Org., but if you live there you have more issues than your data.
With proprietary software, it is a much larger chance that backdoors exist than in Open Source. Many of us heard of 1 issue where it was claimed a project had a Gov sponsored BH in it. They did a long audit and found that was false.
Eventually Open Source backdoors will found in Open Systems. Proprietary you are SOL unless you do very expensive and very hard testing. Even then it is doubtful you will find a backdoor.
Plenty of closed source products will happily backdoor their products on request, without a warrant, if they are confident they will never be found out. That's the point. Not that FOSS source is somehow inviolable to nation-states with virtually infinite resources, many of which sponsor or contribute to the finance of a huge percentage of the development of FOSS themselves.
It's easier to find backdoors in FOSS if you're looking, because you're allowed to look. But somebody has to be looking.
We didn’t knew it better, back then. We knew it better, now. But migrating is work. So we prefer to suffer! And harm others! This Linux and BSD people are so annoying with their desire for compatibility. They shall suffer, too! And when we buy everything from a Monopoly, we don’t need to think.
Nobody Ever Got Fired for Buying IBM.
"If something happens, we used enterprise grade industry standard software. We did our due diligence."
This outlook is basically why we can't innovate anymore.
I had to recently sit through a meeting where our CTO quoted all the "blogs" he's been reading as a way to slap down my suggestion for an in-house project.
It's all about CYA.
Pay the CYA bill, let the engineers build/choose something that actually works. Win-win.
It's why school boards don't do anything useful, among many many other things in our society. It's an endemic disease.
Most of the time it's extremely exaggerated, but it's trotted out and used as a CYA excuse almost immediately by most in the executive/managerial class. Both due to outright laziness and incompetence, and also as just a... why take any personal risk whatsoever making actual decisions with any impact if I can keep my cushy job and career rolling by being as milquetoast as possible.
Never mind you get the big bucks to make such important and controversial decisions at great personal (career) risk when some inevitably go wrong. Everyone forgot that part. Such roles should be hard, difficult, and risky.
FOSS isn't magically immune to vulnerabilities.
It doesn't help that the FOSS community generally prefers the C programming language over more modern and safer alternatives as a cultural thing. The result is just as many vulnerabilities, if not more, per line of code or per feature. Keep in mind that SharePoint is an enormous product with a 3.6 GB ISO image used to install it. If you think anyone is able to develop that volume of server code and have zero vulnerabilities... I have a bridge to sell you.
I contributed to a Tcl/Tk library that I was using at work that had a specific issue with some image files, so I fixed it internally, and contributed the fix back to the FOSS project (with permission from work).
Countries are run by politicians. The ability of a politician to remember something is inverse proportional to the sum of money landed in its account.
I don't understand how often this design has to blow up in people's faces until they stop doing this and use something dumb and safe instead.
Would the CCP allow their cloud infra to be administrated by US staff in the US? Never.
> A programming flaw in its cloud services also allowed China-backed hackers to steal email from federal officials. On Friday, Microsoft said it would stop using China-based engineers to support Defense Department cloud-computing programs after a report by investigative outlet ProPublica revealed the practice, prompting Defense Secretary Pete Hegseth to order a review of Pentagon cloud deals.
IIS which SharePoint runs atop of is written in presumably primarily C.
You can decompile most of SharePoint if you ever need to peek at the code. That's a huge advantage to figure out how it works.
Seriously, I haven't used it since 2017, but every time I used it then it was the worst part of my day. I used to have a shirt that said SHarepoIT Happens that I would wear to work, and it seemed like the one thing I could get my coworkers agree on was that Sharepoint is terrible and we'd rather use anything else.
I have worked at an org that did the same. We already had Confluence. Somebody decided we needed Sharepoint. We licensed and installed it. Six months later we migrated the handful of documents and files and decommissioned it.
This is actually a great day for Microsoft. People will come to their cloud solutions in troves after this and everyone will be happy. Maybe not everyone, but Microsoft for sure.
nevertheless, even NFS is better than sharepoint. At least, NFS works...
Teams is actually SharePoint.
It ain't going anywhere
Here’s just one example:
Each M365 Teams Team creates an M365 Group which creates a SharePoint site and Exchange mailbox. Teams channel files are stored in that SharePoint site. Teams channel messages are stored in the Exchange mailbox.
Private files dropped in Teams are stored in OneDrive (rebranded SharePoint). Private Teams messages are stored in the sender and recipients’ Exchange mailboxes.
M365 is SharePoint and Exchange. EVERYTHING is built on top.
EDIT: changed ‘individual’ to ‘sender and recipients’
Good lord. It truly is a layer of dung layered upon more layers of dung.
Imagine if it was just a hidden (special) folder in an Exchange mailbox.
Voila, you already have a well-known and widely implemented and tested message syncing solution both for content and status (read/unread)
I assume Windows Phone worked the same way with its text message backup. When you'd set up a new phone it would take a while for your Microsoft account to finish syncing during which new messages would trickle into the Messaging app in real time. In fact if your old phone was still on WiFi new messages would show up on both. Still more advanced 15(?!) years ago than my Android today
very slowly
and why the search doesn't work
Nothing works really well nowadays with exchange (classic, new, web, ...) or Teams. It is a complex layer based on sharepoint, that was not designed for that, because OneDrive is so bad that they have absolutely no way to manage a proper sharing of files between multiple persons, and so even less between teams and orgs.
I once figured out that you can go to the permissions page on the SharePoint site created by Teams and remove access for the corresponding M365 group.
M365 relies on SharePoint and Exchange, but they don’t rely on M365. So, you can potentially break Teams.
There are so many companies and businesses that rely on offline data, or silo'd data than will be tied through their AD LDAP account permission, M365, teams included, is such a better option than hand rolling all of them and praying you configured every service correctly.
Using this infra for teams makes sense since it already works well. As one poster said, its probably via some hidden folder.
I wonder what they did with skype, did they actually integrate any of it into teams or just dump it entirely?
I used to work within the Office group. The way that data is organized in Exchange is mind-boggling -- and not in a good way, IMO. Its design is from decades ago, and trying to understand how to find something really takes a lot of experience. Without going into any gruesome details of how it works, I'll just say that it is a HUGE hurdle to being productive for day-to-day work.
Similarly, I'm not surprised that there's some kooky way that the Teams folks shoehorned their data into the existing Exchange system -- they probably have no other way to operate at that scale without taking years in writing their own database system. (I can't imagine that using SQL Server to do this would be viable, either, given what they want to do and the capabilities already built on top of Exchange.)
I assume you're talking about MAPI, which owes some of its baroque nature to X.400. It definitely comes from another time. It always struck me as over-engineered.
On the other hand, it has also been ridiculously successful.
Contacts and voicemail are stored in Exchange.
Diagram of data storage locations: https://youtu.be/V6B4KraD-FM?feature=shared&t=454
M365 Groups are still SharePoint + Exchange.
The fact that Sharepoint sucks* doesn’t matter… because anything else is seen as a risk.
* folders with lots of files are hard to scroll through because each page is lazy loaded, the automation functions are buggy, logins between different M365 tenants breaks and is not correctable by a normal site admin, human readable URL paths aren’t standard, search is shit, tables/filters are buggy, the new interface hides a bunch of the permissions logic, some things like permission groups need to be managed via outlook, etc etc. I’m sure a bunch of my gripes are technically fixable, but these aren’t things that should need a web search in order to use/fix.
The sales pitch was that they could upload documents to SharePoint and when people downloaded the documents SharePoint would automatically apply DRM so the documents could only be opened by that person on authorised machines for a specified number of days.
Well, it turned out depending on how you logged in (using the same account, just different login forms) on the SharePoint server it would either give you the files with DRM applied - or the completely unrestricted files.
We got some senior Microsoft consultant working directly for Microsoft to look at it but in the end they were just as confused as us.
The only reason to get downvotes is nonsense of prefacing the post with the 'worry'. Sharepoint would be far from a first choice under normal circumstances (e.g. not bundled with excel and friends)
"The process took six hours Saturday night — much longer than it otherwise would have, because the threat-intelligence and incident-response teams have been cut by 65 percent as CISA slashed funding, Rose said."
One does wonder whether this was all part of Musk's vision, or more thanks to the scum he hired to staff Dog coin and/or other lawless opportunists in the Trump administration.
[1] https://www.washingtonpost.com/immigration/2025/04/16/medica...
[2] https://www.reuters.com/technology/cybersecurity/whistleblow...
That anyone gives a word they say the time of day is actually crazy.
The problem is that while common sense would dictate those nonsensical expenses as such, they were part of the official process, so it was all legalized, so they avoid the FWA labels because the rule writers have made it so.
MS's hosted version of SharePoint. It's apparently unimpacted by this current round of attacks. DOD (since it's been brought up by other commenters) makes significant use of this.
People hosting SharePoint instances themselves. Some on-prem, some with rented computers. These are the impacted ones. It's not about "the cloud", it's about hosted SharePoint having weaknesses that were exploited and many organizations apparently leaving their SharePoint instances accessible over the open internet. These hosted instances are also probably old and unpatched which doesn't help things. Some (many?) units within DOD make use of this, but definitely not all.
I mean, there are definitely stupid people everywhere, but I'd hope MS leadership isn't that stupid.
You sink one of your own naval vessels (or it sinks due to an accident and you take advantage of the situation) and blame it on an enemy. That enemy is now the target of your military and your population approves.
A shipbuilder hires someone to poke a hole in 1000 of their ships that are so badly designed and manufactured that it only takes a rubber ducky bouncing off the hull to sink them does not encourage anyone to go back to that shipbuilder.
False flags (particularly of the "let's kill or maim hundreds of our own people and other innocent people" variety) push into evil territory. They aren't dumb on their own, they're calculated risks predicated on the willingness of the masses to fall in line after a catastrophe.
Deliberately hurting your own customers by using weaknesses in your own systems in order to motivate them to go buy your other products or services is dumb.
It's interesting to me that you'd go the hassle of hosting your own SharePoint on prem, but leave it internet facing. I would have assumed a the Venn diagram of these organizations to be entirely contained in orgs forcing you to use a VPN.
What a pity that CISA has been purged down of effective useful people and turned into another sad selected-for-political-compliance-only force.
Arizona recently got attacked from Iranian hackers & didn't even bother trying to get help from CISA. https://archive.is/2025.07.19-143305/https://www.azcentral.c...
CISA is so so vital. Investigating incredibly wide ranging attacks like this, or the Salt Typhoon attack are vital for this nation. But the show is being run by a bunch of people who value political dogma far above anything else. https://www.techdirt.com/tag/cisa/
So you don't do that. You use zero trust and don't care that things are exposed to the internet.
Working from anywhere (remote sites, home, your phone) is a huge benefit. Organizations want to control their data entirely while still wanting their organization to be able to access it.
With a VPN the attack surface of this vulnerability would have been miniscule compared to a publicly accessible zero-day RCE
(And it's not like you have to allow carte-blanche access behind the wall)
Defense in depth!
The other salient point is that all connections are established outbound through a broker, and importantly this is the case from both sides: The appliance at the terminating end of the tunnel establishes reverse tunnels to the broker for the connections, so it's never "exposed to the internet".
The broker can then push to your SIEM or whatever so you can have your SOC log jockeys harass your employees for accidentally leaving NordVPN on after watching international sports.
There are actual benefits: You can do things like allow logins to system A from anywhere, but system B only from your home country, you can do JIT network access requests, etc... but mostly it's vendor marketing to get you to spend too much money.
They can be implemented using a variety of technical patterns but they all share a common "each request is authenticated, encrypted" property instead of "anything goes once the tunnel is up" property.
My way of mapping it to VPN mindset is "per app clientless VPNs straight to where the things are hosted". In an extremely open ruleset with all of the servers on a corporate network this could theoretically devolve into "a traditional clientless VPN to the office".
It's software your employer pre-installs on your work PC, that asks you to log in with your work SSO credentials, performs some endpoint security checks, then routes your traffic over a virtual network adapter, and thereby allows you to access workplace resources, even when working from home.
The main difference is it adds some semi-authenticated states. Correct device, username, password, and 2FA, but failed a device posture check because they plugged their phone into their laptop to charge it? The 'Zero Trust' system can block some systems, while letting them retain access to others.
The other big difference is the pricing - rather than paying a five-figure sum upfront for networking hardware, you instead pay $25 per employee per month, forever.
this is not a requirement of zero trust.
The NIST Zero Trust Architecture (ZTA) implementation guides (SP 1800-35) [2] cut through the nonsense and AI generated marketing smoke.
In ZTA, ALL network locations are untrusted. Network connections are created by a Policy Engine that creates and tears down tunnels to each resource dynamically using attribute-based-access-controls (ABAC). Per request.
Microsoft doesn’t have any products that can do full ZTA, so several pillars are missing from their “Zero Trust” marketing materials.
[1] https://www.microsoft.com/insidetrack/blog/securing-the-bord...
TBH several pillars are missing from their entire security posture.
What does it mean in technical terms? What kind of tunnels are whose and what is their purpose?
Once upon a time Microsoft marketed it as, and a lot of Orgs adopted SharePoint as their Intranet. With SharePoint 2019 being sunset, a lot of Orgs are scrambling to implement replacements.
I never remember thinking years ago how nice it would be to have all of our private docs that we only need to access on our private network accessible to the public. I just wasn’t thinking outside the box enough.
Some folks wanted SharePoint as their "web server", I would set that installation up entirely separted from all other instances they may have on the network.
It's the go-to warm-up joke whenever someone in the military gives a speech.
No one considers Google anything less than an impenetrable fortress, but when it's some government entity responsible for keeping American lives safe it's like "ah yeah they probably have a vulnerable on-prem Sharepoint that could easily be pwned."
So why is this? Why do Microsoft products enjoy a monopoly on the server in these sectors when more secure (Linux-based) options are far cheaper and widely deployed already? Isn't security the number one priority in those spaces?
Money changing hands between the suitable people who pop up together at certain social occasions is the priority.
Where is the equivalent tech on the Linux side that Red Hat developed? They simply didn't have a competitive enough alternative. Usually anything outside of cloud/web server space, you'd find alternative open-source projects rotting with non-clear ownership and year old last commits. Red Hat and Linux world weren't interested in developing those things. They weren't interested in making competitive user friendly alternatives that enabled non-programmer users. It is hard, thankless, soul crushing work that nobody does anymore since Microsoft bought or eliminated them. There are simply no equivalent alternatives in the open source world because competing with Microsoft requires accepting significant losses as a company for a long time. Google Workspace is a thing only because Google can finance its developers with ad money.
Just having Linux is no golden key to security either. You need to put the exact amount of barriers in front of your on-prem servers regardless of the OS.
The whole security mess is just the symptom of capitalist economy. Most companies give 0 fucks about it because caring about security is costly and time consuming. With the race to the bottom for first-to-market, caring about security is a risk, it is a distraction. They ignore it until they establish a position and maybe their misdeeds become a liability. However, no company got actually severely punished for not caring about security. So it is still seen as cost by many.
As a corporate drone that has accidentally opened various Microsoft office suite links inside of Teams. My dislike for anything Microsoft continues to grow.
Am I surprised that sharepoint has vulnerabilities? Hell no.
It feels like Microsoft has a (bad) deal with every 3rd rate IT leader where the IT leader eschews Microsoft's BS in exchange for being "unfireable" because "who else knows how all the Microsoft stuff works?"
It's patchable, but it's been two times in a row now, and patching is always slow and incomplete.
Example: if Kroger or whatever your supermarket of choice distributed meat that was infected they would get sued to bits. Microsoft distributes thousands of malicious NPM dependencies and underfund the NPM security team - if there is such a thing - resulting in an entire industry of supplychain security companies to exist. No other registry has the issue of malicious packages as badly as NPM since Microsoft acquired Github.
Microsoft just does not know how to handle security, which is why so many security companies exist to fill their gaps. I don’t trust their security practices one bit tbh.
aspenmayer•1d ago
Related:
ToolShell Mass Exploitation (CVE-2025-53770) - https://research.eye.security/sharepoint-under-siege/ | https://news.ycombinator.com/item?id=44629133