A series of cyber intrusions targeting Microsoft’s SharePoint platform has triggered alarm across global businesses and government agencies, drawing renewed scrutiny of enterprise cyber risk frameworks and raising the stakes for insurers underwriting coverage in a landscape increasingly defined by state-linked digital espionage.
What began as a critical software vulnerability in Microsoft’s widely deployed on-premises SharePoint server software has rapidly escalated into a sprawling security crisis. Cybersecurity analysts now estimate that at least 100 organizations – including U.S. state entities, industrial manufacturers, and government agencies in Germany and the U.K. – have already been compromised.
“Businesses are more connected than ever before,” said QBE’s global head of cyber, Serene Davis. “Even if you’ve done everything right within your own environment, a vulnerable supplier can take you down.”
While Microsoft has since issued patches for affected SharePoint versions, cybersecurity authorities warn that the breach is not only ongoing but may also involve multiple sophisticated threat actors with ties to China. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Britain’s National Cyber Security Centre have confirmed active exploitation, and the FBI has acknowledged it is investigating the attack alongside its private-sector partners.
According to researchers from Eye Security and the Shadowserver Foundation, attackers exploited a previously unknown flaw – a so-called "zero-day" – to gain unauthenticated access to vulnerable SharePoint servers. This allowed them to execute arbitrary code, impersonate services, steal credentials, and install persistent backdoors.
Security experts note that even servers which have now been patched could remain vulnerable if attackers installed tools before remediation. Palo Alto Networks’ Unit 42 division stated that attackers have already begun exfiltrating sensitive files and cryptographic keys. The breach’s cascading effect is compounded by SharePoint’s integration with other Microsoft services such as Outlook and Teams, expanding the surface area for compromise.
Though the cloud-based SharePoint offering within Microsoft 365 was unaffected, many large institutions – particularly in regulated sectors – still rely heavily on self-hosted deployments, increasing their exposure.
Microsoft confirmed Tuesday that several known China-based groups – including Linen Typhoon, Violet Typhoon, and Storm-2603 — were among those exploiting the vulnerability. Analysts at Mandiant and Google also attributed at least some early exploitation to Chinese state-linked actors.
David Warr, cyber portfolio manager at QBE, said the firm had long anticipated the current climate. “We warned last year that state-sponsored cyber actors were increasingly likely to target critical infrastructure beyond the battlefield, particularly in sectors like energy.”
This attribution mirrors past intrusions, including the 2021 Hafnium campaign that targeted Microsoft Exchange servers. The latest incident raises persistent concerns about the security of U.S. technology infrastructure — especially where deployed in defense, healthcare, and financial services — and underscores how geopolitical tension is now deeply entwined with corporate cybersecurity risk.
“By the end of 2025, we'll likely hit one of the highest levels of cyber activity we've seen,” Davis said. “Some events slow things temporarily, but overall, the trend is upward.”
For underwriters and brokers, the implications of this breach extend beyond immediate client exposure. The incident exemplifies the growing systemic risk posed by widely used enterprise software and the potential for correlated claims events stemming from a single vulnerability.
According to data from Shodan and Shadowserver, between 8,000 and 9,000 internet-connected SharePoint servers were potentially vulnerable at the time of the initial exploit. While not all have been compromised, the scale and nature of the attack will likely influence underwriting decisions around Microsoft-centric technology environments.
“This is a textbook example of why cyber risk is no longer insurable in the traditional sense,” said one broker specializing in technology E&O and cyber coverage. “You have a zero-day vulnerability, high market penetration, and probable nation-state involvement – the actuarial model breaks down.”
Insurers are increasingly looking to impose sublimits or exclusions for attacks involving critical software dependencies. Some cyber policies now include "systemic risk exclusions" that may apply to Microsoft software suites — exclusions that could be tested as claims emerge from this breach.
Security experts caution that patching, while necessary, is only part of the remediation effort. Organizations must also undertake forensic investigations to determine whether their environments were accessed before patch deployment. Many may now operate under the assumption that compromise has already occurred – what security professionals call an “assumed breach” posture.
As the breach unfolds, risk managers and brokers are racing to understand its insurance implications. Policyholders may face a mix of direct expenses – such as incident response, legal counsel, and notification costs – and third-party liability if client or employee data has been accessed.
The scope of the SharePoint breach, particularly its exposure across regulated sectors and international borders, places it among the most consequential corporate cyber incidents since the SolarWinds compromise in 2020.
