Microsoft has disclosed that a critical vulnerability in its SharePoint server is now being exploited to launch ransomware attacks, signaling a sharp escalation in an ongoing cyber-espionage campaign. At least 400 organizations, including major US federal entities, are impacted as state-aligned threat actors weaponize enterprise software flaws for disruptive purposes.
Microsoft has confirmed a significant escalation in a cyber-espionage campaign exploiting its SharePoint server vulnerability, with attackers now deploying ransomware as part of the attack vector. The campaign, which has compromised over 400 organizations globally, marks a serious shift from surveillance-focused intrusions to outright operational disruption.
The campaign is attributed to a threat group tracked internally by Microsoft as “Storm-2603.” While initially framed as a traditional cyber-espionage operation, new intelligence indicates the use of ransomware payloads—a development that transforms the attack from one targeting information theft to one capable of paralyzing critical systems for ransom payments.
Also Read: Widespread Chaos: Microsoft Cyberattack Targets 100 Organizations
Microsoft, which disclosed the details in a technical blog post, noted that the attackers are exploiting a previously unpatched security flaw in SharePoint. This vulnerability created an entry point for deeper infiltration across enterprise networks.
The implications are severe. Ransomware not only compromises data confidentiality but also strikes at business continuity, financial operations, and infrastructure resilience. Experts suggest that the switch from espionage to extortion tactics may reflect growing opportunism by state-aligned or proxy actors who seek both strategic and financial gain.
At the core of the incident lies the unpatched enterprise software—a recurring risk in corporate IT environments. The flaw in question had triggered urgency within Microsoft’s incident response ecosystem, but the late identification of active ransomware deployment has amplified the fallout.
A representative from the US National Institutes of Health confirmed their systems were among those compromised. Several other federal agencies are reportedly affected, though full details remain undisclosed. In response, affected servers have been isolated, and containment measures are underway across multiple data centers.
Also Read: Microsoft’s Post-Layoff AI Controversy Sparks Global Debate
The surge in affected organizations—from 100 identified victims over the weekend to over 400 currently—suggests the scope is much broader than initially assessed. Analysts warn that the real count may be substantially higher due to limited forensic visibility across all attack vectors.
Microsoft has not yet provided detailed attribution or a breakdown of affected sectors but reaffirmed its commitment to enhancing SharePoint security and issuing updates for broader threat mitigation.
This incident highlights a growing trend where enterprise vulnerabilities become high-value targets for geopolitical and economic disruption. It also underscores the need for urgent enterprise patching practices and proactive cybersecurity frameworks.
READ MORE ON