Microsoft revealed on Wednesday that Chinese state-backed hackers have breached its on-premises Exchange Server, which is widely used by companies and institutions for managing email systems. This incident is the most recent among four significant cyberattacks that have targeted Microsoft’s systems in recent months.
The company pointed to three specific Chinese threat groups—Linen Typhoon, Violet Typhoon, and Storm-2603—accusing them of exploiting vulnerabilities in its SharePoint document management software. These hackers mainly targeted organizations that host their own servers rather than using Microsoft’s cloud-based services.
According to Microsoft, the attackers used these security flaws to steal sensitive data and cryptographic keys, giving them repeated access to victim systems. In response, Microsoft has released a critical security update and urged all users to install it immediately.
The report explains that Linen Typhoon has been actively trying to steal information from governments, defence agencies, and human rights groups for over 13 years. Meanwhile, Violet Typhoon is known for espionage activities and typically targets NGOs, think tanks, and the education sector. Storm-2603 is a relatively new hacking group, which is suspected to be based in China.
These hackers exploited a flaw in self-hosted SharePoint systems, which are typically run by businesses and government agencies, to steal cryptographic material and continue accessing confidential documents, according to Microsoft. The cloud variant of Microsoft’s SharePoint service seems to not be affected by that, however its on-premises versions appear to be the main issue.
The hackers had sent malicious requests to vulnerable servers, giving them access to digital keys that unlocked access to sensitive data, the agency reported. Now, Microsoft has issued emergency patches and warns everyone to update now.
Charles Carmakal, the Chief Technology Officer at Mandiant Consulting (a cybersecurity firm under Google Cloud), shared in an email that several organizations had been impacted by the recent cyberattacks. He mentioned that the victims come from a wide range of sectors and industries, and have been found across different regions—including North America, Europe, and East Asia. He noted that the attackers pounced quickly and opportunistically before a solution was available — evidence to how serious the breach was.
According to Microsoft, Linen Typhoon has been attacking Government, defence and human rights organizations for more than 10 years, while Violet Typhoon, like White Typhoon, carries out long-term espionage campaigns, increasingly targeting NGOs, think tanks and military veterans. Storm-2603, a newer group, has been identified as being China-based with moderate confidence.
The investigations are ongoing, and “we will continue to provide updates as we develop further information on our blog,” Microsoft said in a blog post. For now, the message is clear: update your servers and avoid joining a growing list of victims in a widening cyber-espionage campaign.
