BREAKING: Global Cyberattack Hits US Federal Agencies
Microsoft SharePoint Software Targeted
On July 20, 2025, reports indicate a significant cyberattack targeting U.S. government agencies, businesses, universities, energy companies, and an Asian telecommunications firm. Hackers exploited a major security flaw in widely used Microsoft server software. The attack affected multiple sectors, breaching federal and state agencies among others.
The cyberattack began exploiting the vulnerability from the evening of Friday, July 18, 2025, and was reported extensively by July 20, 2025. The vulnerability affects on-premise SharePoint servers, allowing unauthenticated access that grants attackers full control over SharePoint content, file systems, internal configurations, and remote code execution over the network. This severity has prompted immediate responses from cybersecurity authorities and affected organizations.
Key Points
A major cyberattack has exploited a vulnerability in Microsoft SharePoint Server, affecting U.S. government agencies, businesses, universities, and international entities.
The attack, known as ToolShell, involves unauthorized access and has impacted critical infrastructure, with ongoing investigations by multiple governments.
Research suggests the vulnerability, CVE-2025-53770, allows attackers to steal data and execute code remotely, with no patch currently available.
The evidence leans toward significant impacts, including data theft and potential "wiper" attacks, though the full scope is still being assessed.
Impact and Response
Research suggests the attack has led to the theft of sensitive data, password harvesting, and the theft of cryptographic keys, which could allow re-entry even after patches are applied. While "wiper" attacks (deleting data) are rare, some instances have been noted. CISA recommends configuring Anti-Malware Scan Interface (AMSI) in SharePoint, deploying Microsoft Defender AV, and disconnecting affected systems if necessary. Microsoft has not yet released an official patch but is providing guidance.
Researcher quotes emphasize the severity:
Adam Meyers from CrowdStrike stated, “Anybody who’s got a hosted SharePoint server has got a problem. It’s a significant vulnerability.”
Pete Renals from Palo Alto Networks’ Unit 42 noted, “We are seeing attempts to exploit thousands of SharePoint servers globally before a patch is available.”
An anonymous researcher highlighted the timing issue, saying, “So pushing out a patch on Monday or Tuesday doesn’t help anybody who’s been compromised in the past 72 hours.”
Response and Mitigation Strategies
CISA and Microsoft have issued guidance to mitigate the attack:
CISA Recommendations: Configure AMSI in SharePoint, deploy Microsoft Defender AV on all servers, disconnect public-facing affected products from service if AMSI cannot be enabled until mitigations are available, and follow BOD 22-01 for cloud services or discontinue use if mitigations are unavailable.
Microsoft Actions: No official patch has been released as of July 20, 2025, but customer guidance is available at https://msrc.microsoft.com/blog/2025/07/customer-guidance-for-sharepoint-vulnerability-cve-2025-53770/. Microsoft also suggested modifying SharePoint server programs or unplugging them from the internet.
Additional Security Measures: Update intrusion prevention systems and web-application firewalls to block exploit patterns, implement comprehensive logging, and audit and minimize layout and admin privileges.
Organizations are urged to report incidents to CISA at Report@cisa.gov or (888) 282-0870 for further assistance.
Contextual Background
This attack follows a pattern of recent cybersecurity issues with Microsoft, including a 2023 Chinese hack of U.S. government emails and a similar vulnerability exploited earlier in July 2025. CISA’s threat-intelligence teams have faced funding cuts (65% reduction), which may impact response capabilities. The attack’s timing, coinciding with global cybersecurity surges (a 21% increase in weekly incidents in Q2 2025, with education hardest hit), adds to the urgency of addressing such threats.
Supporting Sources
The analysis is informed by:
Washington Post: https://www.washingtonpost.com/technology/2025/07/20/microsoft-sharepoint-hack/
Eye Security: https://research.eye.security/sharepoint-under-siege/
Palo Alto Unit42: https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-07-19-Microsoft-SharePoint-vulnerabilities-CVE-2025-49704-and-49706.txt
Note: Grok was used to write this article; please feel free to post any corrections or updates below.
Cyber polygon moves..
If you're wondering about lawfare, I explain here in my essay:
https://open.substack.com/pub/soberchristiangentlemanpodcast/p/lawfare-the-silent-war-of-legal-deception?utm_source=share&utm_medium=android&r=31s3eo
Hey ! Let’s all RUSH into the digital cage of ‘freedom’ by surveillance and ‘security’ the Communist CON-trolling Int’l USURY Bankster$ are dreaming’ of in their wet dream$. 🤔 We can call it RUSH-Speed to not offend those STILL involved with WarpSpeeding toxic v🪓cine$$$ !
Seems some “useless eaters” missed two lessons learnable in life or kindergarten. “Haste makes waste” and “Hurry makes worry.”
Hmmm … perhaps billy goats just had a few more unused, deadly computer-toxcines in the barnyard that just needed to ‘stretch their leg$’ to help with the WHO’s, or whoever’s next ScamDemic, PlanneDemic or DamnedDemic. SQUIRREL !!! 😳😬
🤣 or 😭 but Be Grateful ! ….. the minority swarming at the ‘top’ wants us …
Diseased, Disabled or DEAD ! Have you heard otherwise ? Feedback welcome and Thank YOU, 💗💓 💟 😍 ❤️