Microsoft Corp. is investigating whether a leak from its early alert system for cybersecurity companies allowed Chinese hackers to exploit flaws in its SharePoint service before they were patched, according to people familiar with the matter.
The technology company is looking into whether the program — designed to give cybersecurity experts a chance to fix computer systems before the revelation of new security concerns — led to the widespread exploitation of vulnerabilities in its SharePoint software globally over the past several days, the people said, asking not to be identified discussing private matters.
“As part of our standard process, we’ll review this incident, find areas to improve, and apply those improvements broadly,” a Microsoft spokesperson said in a statement, adding that partner programs are an important part of the company’s security response.
The Chinese embassy in Washington referred to comments made by foreign affairs ministry spokesman Guo Jiakun to media earlier this week, opposing hacking activities. “Cybersecurity is a common challenge faced by all countries and should be addressed jointly through dialogue and cooperation,” Guo said. “China opposes and fights hacking activities in accordance with the law. At the same time, we oppose smears and attacks against China under the excuse of cybersecurity issues.”
Microsoft has attributed SharePoint breaches to state-sponsored hackers from China, and at least a dozen Chinese companies participate in the initiative, called the Microsoft Active Protections Program, or MAPP, according to Microsoft’s website. Members of the 17-year-old program must prove they are cybersecurity vendors and that they don’t produce hacking tools like penetration testing software. After signing a non-disclosure agreement, they receive information about novel patches to vulnerabilities 24 hours before Microsoft releases them to the public.
A subset of more highly-vetted users receive notifications of an incoming patch five days earlier, according to Microsoft’s MAPP website.
Dustin Childs, head of threat awareness for the Zero Day Initiative at cybersecurity company Trend Micro, says Microsoft alerted members of the program about the vulnerabilities that led to the SharePoint attacks. “These two bugs were included in the MAPP release,” says Childs, whose company is a MAPP member. “The possibility of a leak has certainly crossed our minds.” He adds that such a leak would be a dire threat to the program, “even though I still think MAPP has a lot of value.”
Victims of the attacks now total more than 400 government agencies and corporations worldwide, including the US’s National Nuclear Security Administration, the division responsible for designing and maintaining the country’s nuclear weapons. For at least some of the attacks, Microsoft has blamed Linen Typhoon and Violet Typhoon, groups sponsored by the Chinese government, as well as another China-based group it calls Storm-2603. In response to the allegations, the Chinese Embassy has said it opposes all forms of cyberattacks, while also objecting to “smearing others without solid evidence.”
Dinh Ho Anh Khoa, a researcher who works for the Vietnamese cybersecurity firm Viettel, revealed that SharePoint had unknown vulnerabilities in May at Pwn2Own, a conference in Berlin run by Childs’ organization where hackers sit on stage and search for critical security vulnerabilities in front of a live audience. After the public demonstration and celebration, Khoa headed to a private room with Childs and a Microsoft representative, Childs said. Khoa explained the exploit in detail and handed over a full white paper. Microsoft validated the research and immediately began working on a fix. Khoa won $100,000 for the work.
It took Microsoft about 60 days to come up with a fix. On July 7, the day before it released a patch publicly, hackers attacked SharePoint servers, cybersecurity researchers said.
It is possible that hackers found the bugs independently and began exploiting them on the same day that Microsoft shared them with MAPP members, says Childs. But he adds that this would be an incredible coincidence. The other obvious possibility is that someone shared the information with the attackers.
The leak of news of a pending patch would be a substantial security failure, but “it has happened before,” says Jim Walter, senior threat researcher the cyber firm SentinelOne.
MAPP has been the source of alleged leaks as far back as 2012, when Microsoft accused the Hangzhou DPtech Technologies Co., a Chinese network security company, of disclosing information that exposed a major vulnerability in Windows. Hangzhou DPtech was removed from the MAPP group. At the time, a Microsoft representative said in a statement that it had also “strengthened existing controls and took actions to better protect our information.”
In 2021, Microsoft suspected at least two other Chinese MAPP partners of leaking information about vulnerabilities in its Exchange servers, leading to a global hacking campaign that Microsoft blamed on a Chinese espionage group called Hafnium. It was one of the company’s worst breaches ever — tens of thousands of exchange servers were hacked, including at the European Banking Authority and the Norwegian Parliament.
Following the 2021 incident, the company considered revising the MAPP program, Bloomberg previously reported. But it did not disclose whether any changes were ultimately made or whether any leaks were discovered.
A 2021 Chinese law mandates that any company or security researcher who identifies a security vulnerability must report it within 48 hours to the government’s Ministry of Industry and Information Technology, according to an Atlantic Council report. Some of the Chinese companies that remain involved in MAPP, such as Beijing CyberKunlun Technology Co Ltd., are also members of a Chinese government vulnerabilities program, the China National Vulnerability Database, which is operated by the country’s Ministry of State Security, according to Chinese government websites.
Eugenio Benincasa, a researcher at ETH Zurich’s Center for Security Studies, says there is a lack of transparency about how Chinese companies balance their commitments to safeguard vulnerabilities shared by Microsoft with requirements that they share information with the Chinese government. “We know that some of these companies collaborate with state security agencies and that the vulnerability management system is highly centralized,” says Benincasa. “This is definitely an area that warrants closer scrutiny.”
© 2025 Bloomberg LP
