Short answer: as of May 6, 2025 there was no public, vendor-backed disclosure tying a large, ongoing SharePoint mass‑compromise campaign to China. That does not mean the risk is low. It means defenders cannot afford to be complacent.

Context and what’s verifiable today

Microsoft and the wider vulnerability record show SharePoint has had multiple critical flaws over the past 18 months that required urgent patching. Administrators patched remote code execution flaws disclosed in 2024 and received further SharePoint security updates in early 2025. Those advisories are the baseline: unpatched on‑premises SharePoint servers remain attractive targets because they host internal content and bridge to Exchange, Teams, OneDrive and identity environments.

Separately, U.S. law enforcement actions in early 2025 demonstrate continued, aggressive activity by Chinese‑linked cyber operators. The Department of Justice unsealed indictments in March 2025 that describe long‑running intrusion campaigns and tie individual operators and contractor networks to Chinese government direction or facilitation. Those public actions underscore that state‑aligned Chinese actors remain prolific and capable.

What is not on the public record (and why that matters)

By May 6, 2025 there had been no public Microsoft threat intelligence advisory or mainstream reporting that conclusively attributed a broad SharePoint exploitation campaign to Chinese state actors. Absence of public attribution is not evidence of absence. Threat actors routinely operate with stealth. The right take is cautious: treat SharePoint exposures as high risk, monitor aggressively, and assume adversaries with nation‑state capability will probe and weaponize any available SharePoint weakness.

Operational risk picture for defenders

1) Attack surface. Internet‑facing, on‑premises SharePoint servers are the most exposed. If your SharePoint endpoint is reachable from the internet you have a high‑priority exposure. Harden or isolate it now.

2) Vulnerability lifecycle. Patches in 2024 and 2025 fixed critical RCE issues. Exploit code and proof‑of‑concepts typically follow public disclosures and patches. If you have not patched or have deferred SharePoint updates, your environment is in the danger zone. Apply vendor updates immediately.

3) Adversary intent. Recent indictments and open investigations show Chinese‑linked groups continue to pursue intellectual property, government data, and operational intelligence. That pattern makes SharePoint, which often contains cross‑domain documents, a natural target for espionage. Plan accordingly.

Practical checklist for the next 48–72 hours (no excuses)

  • Inventory: Identify all on‑premises SharePoint servers and confirm internet exposure. Any internet‑facing SharePoint instance should be treated as compromised until proven otherwise.
  • Patch: Apply the latest SharePoint security updates from Microsoft for your exact version. If you cannot patch immediately, remove internet exposure or place the server behind an authentication gateway that blocks unauthenticated POSTs.
  • Machine keys and credentials: Plan rotation of ASP.NET/SharePoint machine keys and reset any service credentials that could allow forged tokens or persistent interception. Rotating keys is cheap insurance compared to rebuilding a domain.
  • Antimalware and AMSI: Ensure Antimalware Scan Interface integration is enabled for SharePoint and that on‑server antivirus/EDR is active and fully updated. Where vendor guidance exists, follow their recommended configuration for AMSI/AV integration.
  • Hunting and detection: Search for suspicious web shells, unexpected .aspx drops, new scheduled tasks, odd IIS worker behavior, and unusual w3wp.exe child processes. Look for lateral movement tools and credential dumping activity. If you find indicators of compromise, activate IR and assume lateralization.
  • Containment: For confirmed compromises, isolate affected servers from the network, collect forensics, rotate keys and credentials, rebuild from clean images and validate with EDR telemetry before reintroducing them.

Strategic posture: treat SharePoint like a high‑value sensor and staging ground

SharePoint is not an edge app you can ignore. It stores internal documents, often with links into identity and mail systems. Defenders need a layered approach: patching and configuration management are necessary but not sufficient. Enforce network segmentation, apply strict egress controls, monitor identity logs for anomalous access to SharePoint content, and bake SharePoint detection into tabletop exercises and incident playbooks.

If you work in government, energy, defense, or research: escalate urgency

Organizations holding sensitive IP or government data should assume they are targets of state‑aligned actors. The indictments and public enforcement actions earlier in 2025 demonstrate the operational reach and incentives of those threat actors. If you have exposure, allocate immediate resources to apply patches, run comprehensive hunts, and brief senior leadership.

Bottom line

On May 6, 2025 there was no public, vendor‑backed announcement tying a systemic SharePoint compromise campaign to China. That comfort is thin. The combination of proven SharePoint vulnerabilities, active Chinese‑linked cyber operations, and the value of what sits inside SharePoint mandates urgency. Patch, isolate internet‑facing instances, rotate keys, deploy detection and EDR, and run hunts. Delay is the only real luxury adversaries need to succeed.