Vietnamese cybersecurity researcher Dinh Ho Anh Khoa in May uncovered a vulnerability in Microsoft Corp’s document management software, SharePoint, at an event designed to encourage ethical hacking that makes our technology more robust. He received US$100,000 from Trend Micro, the security group that sponsored the event.
As part of the deal, flaws discovered in these competitions must be kept under wraps to give affected companies time to assess the threat, work on a fix, test it and release it. In this case, Microsoft released its patch by July 8 — a reasonable timeframe, cybersecurity experts say, given there had been no indication the hack had been used “in the wild” until July 7.
However, within days of the purported fix, it became clear Microsoft engineers had missed something. Sophisticated actors, said to be working on behalf of China, had found a work-around.
The vulnerability has been used to target hundreds of entities, including government agencies. The US Nuclear Weapons Safety Agency was reported to be among those affected. The attack enables hackers to gain unrestricted access to a person’s SharePoint system and any valuable data it contains.
The exploit would also allow bad actors to “execute code” on that server, advisories said.
Microsoft hurriedly updated its patch, releasing it on Monday last week. Experts are watching now to see whether it holds.
However, Microsoft could only do so much. One critical detail of the attack is that it affects only those that use on-premises SharePoint installations — that is, a company that uses its own servers to run the software and gives its employees access to it rather than paying Microsoft to host it in the cloud. There are good (and often legally required) reasons to do this, but it also means the onus is now on affected users to carry out the recommendations set out by Microsoft and endorsed by US cyberdefense officials. These include taking steps to render stolen cryptographic keys useless.
Top of mind should be the prospect that this hack provided the groundwork for a more consequential attack to come. Companies must not be lulled into thinking “that they are secure by applying the updates a couple of days” after the attacks, warned cybersecurity specialist Vaisha Bernard from Eye Security, which has analyzed and tracked the attack.
It was possible “backdoors have already been placed, and maybe weeks later somebody else uses those backdoors and completely shuts down an organization with a ransomware attack,” he said.
Digital sleeper cells, in effect, could be waiting for an opportune moment. It is a pattern we have seen before. In 2021, several exploits were discovered in on-premises instances of the Microsoft Exchange Server, allowing administrator privileges. Ten days after a patch was issued, Microsoft security researchers warned of a new “family” of ransomware attacks exploiting servers that were hit before the patch was installed.
Even if “sensitive” data was not stored on a target’s SharePoint, as the US nuclear agency reassured, the risk is merely reduced. It does not take much “insider” context to make trickery vastly more effective. Details of next weekend’s company softball game, say, could be enough leverage for social engineering. That is one risk.
Another is that hackers with access to a company’s SharePoint server might use it to move “laterally” among a company’s information technology systems, Bernard said.
“With a little work, but quite easily, hackers could penetrate the other servers in the network,” he said. “They then can work their way up to get system administrator privileges and then access any system in these networks.”
It might be tempting to point at Microsoft alone and consider this its failure. On what we know so far, that seems unfair. No piece of software is free from vulnerabilities, and the ethical system for encouraging their discovery essentially worked in this case, alerting Microsoft to the problem before the hack method was out there for anyone to use. (Although, how it seems to have been leaked just before the July 8 patch might be cause for investigation.)
When its initial fix failed, the company acted swiftly. “Blazing fast,” in Bernard’s view.
The whole affair is indicative of the relentless high-stakes cat-and-mouse game between the cybersecurity industry and international bad actors. It is a battle that would not ever end.
Dave Lee is Bloomberg Opinion’s US technology columnist. He was previously a correspondent for the Financial Times and BBC News.
We are used to hearing that whenever something happens, it means Taiwan is about to fall to China. Chinese President Xi Jinping (習近平) cannot change the color of his socks without China experts claiming it means an invasion is imminent. So, it is no surprise that what happened in Venezuela over the weekend triggered the knee-jerk reaction of saying that Taiwan is next. That is not an opinion on whether US President Donald Trump was right to remove Venezuelan President Nicolas Maduro the way he did or if it is good for Venezuela and the world. There are other, more qualified
China’s recent aggressive military posture around Taiwan simply reflects the truth that China is a millennium behind, as Kobe City Councilor Norihiro Uehata has commented. While democratic countries work for peace, prosperity and progress, authoritarian countries such as Russia and China only care about territorial expansion, superpower status and world dominance, while their people suffer. Two millennia ago, the ancient Chinese philosopher Mencius (孟子) would have advised Chinese President Xi Jinping (習近平) that “people are the most important, state is lesser, and the ruler is the least important.” In fact, the reverse order is causing the great depression in China right now,
This should be the year in which the democracies, especially those in East Asia, lose their fear of the Chinese Communist Party’s (CCP) “one China principle” plus its nuclear “Cognitive Warfare” coercion strategies, all designed to achieve hegemony without fighting. For 2025, stoking regional and global fear was a major goal for the CCP and its People’s Liberation Army (PLA), following on Mao Zedong’s (毛澤東) Little Red Book admonition, “We must be ruthless to our enemies; we must overpower and annihilate them.” But on Dec. 17, 2025, the Trump Administration demonstrated direct defiance of CCP terror with its record US$11.1 billion arms
As technological change sweeps across the world, the focus of education has undergone an inevitable shift toward artificial intelligence (AI) and digital learning. However, the HundrED Global Collection 2026 report has a message that Taiwanese society and education policymakers would do well to reflect on. In the age of AI, the scarcest resource in education is not advanced computing power, but people; and the most urgent global educational crisis is not technological backwardness, but teacher well-being and retention. Covering 52 countries, the report from HundrED, a Finnish nonprofit that reviews and compiles innovative solutions in education from around the world, highlights a
RSS