A sophisticated cyberattack has exploited a zero-day vulnerability in Microsoft SharePoint servers, compromising over 400 entities worldwide, with significant impacts in African nations such as South Africa and Mauritius. This attack specifically targets on-premises SharePoint installations, leveraging previously unknown security flaws to infiltrate critical infrastructure systems belonging to government agencies, educational institutions, and private corporations.
The malware campaign emerged last week when Dutch cybersecurity firm Eye Security detected the initial wave of breaches. Unlike typical SharePoint vulnerabilities that affect cloud-hosted instances, this zero-day specifically targets organizations running SharePoint servers on their own infrastructure—a configuration many institutions prefer for enhanced control and security.
The attack vector leverages unauthorized code execution capabilities within SharePoint’s document collaboration framework, enabling attackers to establish persistent access to targeted networks. Business Insider Africa analysts identified the malware’s sophisticated behavior patterns, noting its ability to remain undetected while exfiltrating sensitive data from compromised systems.
In South Africa alone, victims span multiple sectors, including a major automotive manufacturer, several universities, local government entities, and the National Treasury, where malware was discovered on the Infrastructure Reporting Model website.
Infection Mechanism and Technical Analysis
The SharePoint zero-day exploits a remote code execution vulnerability in the server’s authentication mechanism, allowing attackers to bypass standard security controls. Technical analysis reveals the malware employs a multi-stage payload delivery system:
The attack begins with reconnaissance scans targeting SharePoint farms running vulnerable versions, followed by exploitation of the authentication bypass to inject malicious web shells. Microsoft has confirmed the vulnerability affects only on-premises installations, with cloud-hosted SharePoint Online services remaining secure through Microsoft’s managed security infrastructure.
