This week, Microsoft confirmed that Chinese APT groups – including Linen Typhoon, Violet Typhoon and Storm-2603 – have been actively exploiting vulnerabilities in on-premises SharePoint servers. These vulnerabilities have been chained in an attack named “ToolShell.”
ToolShell is being used by threat actors to gain initial access to target organizations. Initial access attacks are the first step for attackers to gain entry into an organization’s network and bypass security controls. They provide the basis for further malicious activity, including ransomware and data exfiltration attacks.
According to the Washington Post, attackers have successfully breached US federal and state agencies, universities, energy companies and an Asian telecommunications company.
Why SharePoint is a prime target
SharePoint is a high-value target for cybercriminals. The platform is used as a central repository for enterprise data. It is the leading external collaboration platform for information sharing between organizations and third parties, requiring exposure to the internet.
Additionally, it is deeply integrated with other Microsoft services, including Office, Teams, OneDrive and Outlook – that offer a further goldmine of information for attackers and onward penetration into the organization’s network.
In the July 2025 attacks, cybercriminals have been observed installing webshells, deploying persistent backdoors (ensuring future access), stealing cryptographic keys and exfiltrating sensitive data.
Data hygiene for SharePoint security
SharePoint can be a complex environment to monitor for data security. As a storage system for unstructured data – data that doesn’t follow a formal schema, including documents, images, presentations and more – SharePoint is commonly used in place of file-server-based storage alongside connected services such as OneDrive.
This means that all types of company information end up in the platform, including customer and employee personal information, credit card numbers, intellectual property, proprietary information and secrets.
Poor visibility into SharePoint content and limited data hygiene practices can lead to unmonitored sensitive data exposure. It is therefore crucial that businesses have the ability to interrogate SharePoint to identify all sensitive information hosted within it.
Reducing SharePoint data risk with Enterprise Recon
Enterprise Recon supports discovery scanning and data management in SharePoint Server editions and SharePoint Online. Enterprise Recon delivers deep scanning of all files within the platform, resulting in a comprehensive identification of all sensitive data assets.
This full-file scanning approach delivers greater assurance than the sample scanning offered by many competitor solutions – essential for effective data management of unstructured data repositories such as SharePoint.
Packaged with data remediation and access governance features, operable beyond the Microsoft ecosystem, Enterprise Recon enables organizations to implement monitoring and management of sensitive data across their entire digital estate.
A wake-up call for SharePoint data management
ToolShell serves as a reminder of the risks posed by collaboration tools like SharePoint as high-value targets for sophisticated threat actors. Active ToolShell exploitation of internet-exposed SharePoint servers, impacting government, critical infrastructure and private sector organizations, has resulted in significant sensitive data theft.
The impact of such attacks can be reduced through ongoing data governance using tools like Enterprise Recon. These tools help uncover hidden risks, enforce data hygiene and maintain visibility across sprawling SharePoint environments.
To find out how Ground Labs can support your business, arrange a complimentary data risk assessment or book a call with one of our experts today.