A recent investigation has uncovered that Microsoft relied on engineers located in China to provide support and maintenance for its SharePoint platform, the same collaboration tool that was recently exploited by Chinese state-backed hackers.
This finding has triggered serious cybersecurity concerns, especially regarding insider threats in software that is heavily used by both private companies and government agencies worldwide.
Background of the Incident
Microsoft disclosed last month that its SharePoint “OnPrem” installations had been targeted in an advanced cyberattack that began on July 7, 2025. Hackers exploited vulnerabilities in the on-premises version of the software, gaining unauthorized access to networks belonging to several high-value organizations, including the Department of Homeland Security and the National Nuclear Security Administration.
Despite Microsoft releasing a security patch on July 8, attackers continued to adapt their methods, successfully maintaining access even after the update. This demonstrated their advanced persistent threat (APT) capabilities and highlighted flaws in traditional defense strategies.
Internal Findings
Investigators from ProPublica examined Microsoft’s internal work-tracking system and discovered that teams of engineers based in China had been responsible for SharePoint bug fixing and support for years. This revelation raises concerns that the same personnel tasked with securing the software may have inadvertently or indirectly introduced weaknesses that were later exploited by attackers.
Scope of the Exploit
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) confirmed that the exploited vulnerabilities allowed hackers to fully access SharePoint environments. This included file systems, internal configurations, and even the ability to execute malicious code remotely. In many cases, the exploit provided administrative-level privileges to attackers.
Persistence and Evasion
The attack demonstrated highly sophisticated persistence mechanisms. Threat actors embedded malicious code in SharePoint configuration files, created hidden administrative accounts, and modified authentication modules. These tactics allowed long-term unauthorized access, often evading standard monitoring tools.
Even after Microsoft’s initial patch, the attackers quickly developed new methods to bypass protections, forcing the company to release stronger and more comprehensive updates.
Microsoft’s Response
Acknowledging the risks, Microsoft has announced its intention to relocate its China-based support operations to other locations. While the company emphasized that all work was supervised by U.S.-based teams and subjected to mandatory security reviews, experts argue that such oversight may not fully address the risks tied to foreign-based engineering staff working on critical software infrastructure.
