New Report Claims Microsoft Used China-Based Engineers For SharePoint Support and Bug Fixing

Cybersecurity

Recent investigations have identified that Microsoft engaged engineers based in China to provide maintenance and support for its SharePoint software. This platform was recently targeted by state-sponsored cyber attacks.

The incident has raised concerns about cybersecurity practices related to critical infrastructure used by numerous governmental and private entities.

Microsoft disclosed that the attacks on SharePoint “OnPrem” installations commenced on Mon, Jul 7, 2025.

Chinese hackers exploited vulnerabilities in the on-premises version of SharePoint, gaining unauthorized access to systems across several high-profile targets, including the National Nuclear Security Administration and the Department of Homeland Security.

The attackers demonstrated advanced persistent threat capabilities, maintaining access after Microsoft’s initial security patch on Tue, Jul 8, 2025.

ProPublica analysts identified that China-based engineering teams were responsible for SharePoint maintenance and bug fixes over several years, as revealed by Microsoft’s internal work-tracking system screenshots.

This discovery highlights potential vulnerabilities, as personnel responsible for maintaining software integrity may inadvertently create exploitable weaknesses.

The U.S. Cybersecurity and Infrastructure Security Agency confirmed that the exploit allowed attackers to access SharePoint content, including file systems and internal configurations, and execute code over the network.

Persistence and Evasion Mechanisms

The SharePoint exploit involved advanced persistence tactics that allowed continued access post-initial remediation efforts.

After Microsoft released the first security patch on Tue, Jul 8, the attackers adapted to bypass new protections, necessitating more robust subsequent updates from Microsoft.

The persistence mechanism likely involved embedding malicious code within SharePoint’s configuration files and utilizing the platform’s extensive file system access capabilities.

Attackers established backdoors by modifying authentication modules or creating hidden administrative accounts within SharePoint infrastructure, allowing sustained access to sensitive data while evading standard security monitoring tools.

Microsoft has acknowledged the security implications and plans to relocate China-based support operations to alternative locations.

All work was conducted under U.S.-based supervision with mandatory security reviews, although the effectiveness of these oversight measures remains in question.