The Hague, July 29 - European cybersecurity company Eye Security has released new victim data from the widespread exploitation of the recent Microsoft SharePoint vulnerability, offering one of the clearest windows yet into how the attacks unfolded and who was impacted.
Based on a scan of over 27,000 SharePoint servers between July 18 and July 23, Eye Security confirmed 396 compromised systems across 145 unique organisations in 41 countries. Among these, the government sector accounted for 30% of confirmed infections and the education sector for another 13% worldwide - strongly suggesting targeted exploitation of entities typically pursued in intelligence-led operations.
“From the data, it’s clear this wasn’t a random or opportunistic campaign. The attackers knew exactly what they were looking for,” said Lodi Hensen, VP of Security Operations at Eye Security.
Who Was Hit the Hardest?
The countries most heavily impacted by the successful SharePoint attacks include the United States, Mauritius, Germany and France.
While only two organisations in Jordan were affected, both experienced an unusually high volume of attacks.
Sectors beyond government and education that showed signs of focused targeting include:
- SaaS providers - 9%
- Telecom providers - 4%
- Powergrid - 4%
These sectors are known to hold high-value data and serve as intelligence-rich entry points into broader networks.
A Deeper Look: Beyond the Initial Breach
Eye Security’s investigation also uncovered notable patterns in the attack infrastructure, including the use of debug_dev.js, which appeared disproportionately in attacks targeting Mauritian organisations — an anomaly under further analysis.
Eye Security conducted multiple rounds of scanning over several days. The second wave showed a continued rise in infections, even after Microsoft released emergency patches, indicating many organisations had not yet secured their system, or that attackers had established persistence.
“This is the real risk,” said Hensen. “A patch alone doesn't eliminate an attacker who’s already inside. The delay between exploitation and remediation can be devastating — especially for mid-sized organisations without round-the-clock threat detection.”
A Broader Threat Landscape
While Microsoft recently attributed the initial attacks to China-linked actors such as Linen Typhoon, Violet Typhoon, and Storm-2603, new activity suggests that exploitation is no longer limited to state-backed groups.
“In incidents like these, it’s not uncommon to see a rapid shift: once an exploit becomes public and technical details begin to circulate, other state and non-state actors tend to follow. That includes cybercriminal groups with very different motives, especially those focused on financial gain, said Hensen.
As a result, the focus often broadens beyond strategic targets. Mid-sized organisations - not typically the first hit in intelligence operations - find themselves increasingly exposed. The gap between detection, patch availability, and full remediation creates a critical window of vulnerability that many attackers exploit.
Eye Security expects continued abuse of the SharePoint flaw in the coming weeks, with ransomware and supply chain threats likely to follow. For any organisation that was vulnerable before patching, the risk may not be over: if attackers gained access, applying a fix after the fact doesn’t remove them from the network.
What’s Next
In addition to informing Microsoft and cyber authorities, Eye Security directly notified its customers and partners about the threat on Monday, July 21, and is now urging all organisations using on-premises SharePoint to assume breach, verify patching, and conduct thorough threat hunting.
For mid-sized organisations in particular, the attacks are a wake-up call: “Having Microsoft Defender or patching isn't enough. If you can’t detect what’s happening in real time, you’re already behind,” said Hensen.
Eye Security’s 24/7 MDR platform and incident response team remain on alert to support affected organisations and partners.
