Microsoft has reportedly ceased sharing proof-of-concept (PoC) exploit code with Chinese firms as part of its Microsoft Active Protections Program (MAPP), a policy change directly linked to the mass exploitation of SharePoint flaws in July 2025. This decision was prompted by the belief that early bug details, shared through the MAPP, may have been leaked, enabling threat actors to develop and deploy exploits before comprehensive patches were available. To prevent future incidents, firms in countries requiring government vulnerability reporting, such as China, will now only receive general written descriptions of flaws, not the functional PoC code that could be used for offensive purposes.
The Microsoft Active Protections Program is designed to give trusted security vendors a head start on preparing defenses by providing them with early information about upcoming vulnerabilities, typically two weeks before a scheduled Patch Tuesday. Partners sign non-disclosure agreements with the goal of protecting users against new exploits. However, this system was compromised in late July when China-based groups began exploiting two critical SharePoint vulnerabilities on over 400 on-premises servers. Although Microsoft disclosed the bugs on July 8, it later admitted its initial patches were incomplete, and final fixes were not deployed until July 21, by which point mass exploitation had already begun, raising significant concerns about the MAPP disclosure process.
The exploitation campaign was attributed to several China-linked groups, including two named nation-state actors and at least one ransomware gang. According to a Microsoft report, the groups Linen Typhoon and Violet Typhoon were observed exploiting the SharePoint flaws for initial access as early as July 7. Additionally, a third China-based threat actor, tracked as Storm-2603, was also involved. The rapid and coordinated nature of the attacks, which targeted internet-facing SharePoint servers, underscored the efficiency with which these groups leveraged the vulnerabilities to achieve remote code execution and gain a foothold in victim networks.
The technical details of the attack show how threat actors successfully bypassed authentication to hijack the systems. They began by scanning for vulnerable on-premises SharePoint servers and then sent malicious POST requests to the ToolPane endpoint. If successful, this allowed the attackers to use a malicious script, such as spinstall0.aspx (sometimes with a slightly altered name to evade detection), to steal sensitive cryptographic keys, specifically the MachineKey data. The theft of these keys granted attackers a persistent and powerful means of access, demonstrating a sophisticated understanding of the SharePoint architecture.
In response to the breaches, Microsoft immediately provided indicators of compromise (IOCs) and hunting tools to help defenders detect and mitigate the ongoing attacks. The policy change to restrict PoC sharing is part of a broader effort to manage the risk inherent in vulnerability disclosures while still enabling legitimate defensive actions. Despite these efforts, Microsoft has warned that more threat actors are adopting the SharePoint exploits and expects continued attacks on unpatched on-premise systems. This ongoing threat highlights the critical balance between proactive defense information sharing and the potential for misuse by malicious actors.
Reference:
