A possible leak from Microsoft’s private cybersecurity alert system may have enabled Chinese state-linked hackers to exploit SharePoint vulnerabilities before patches were released. The breach raises new concerns about global espionage, insider risks, and the future of Microsoft’s trusted partner program.
Microsoft is investigating whether a leak from its early alert system for cybersecurity firms allowed Chinese hackers to exploit vulnerabilities in SharePoint software before official patches were deployed, according to Bloomberg sources.
The probe centers on the Microsoft Active Protections Program (MAPP), a system that grants vetted security partners early access to vulnerability data, intended to give them time to prepare defenses ahead of public disclosure. However, insiders suggest this same system may have been misused to launch widespread cyberattacks on SharePoint servers in recent days.
Microsoft acknowledged the issue, stating, “As part of our standard process, we’ll review this incident, find areas to improve, and apply those improvements broadly,” underscoring the program’s importance to its overall cybersecurity infrastructure.
China’s embassy in Washington dismissed the allegations, with a foreign ministry spokesperson asserting that cybersecurity is a global issue requiring cooperation—not accusation—and rejecting what it called politically motivated “smears and attacks.”
The company attributes the breach to Chinese state-sponsored groups like Linen Typhoon, Violet Typhoon, and Storm-2603, which reportedly compromised over 400 global organizations, including the U.S. National Nuclear Security Administration.
MAPP, established 17 years ago, provides trusted security vendors with patch information under strict vetting and nondisclosure agreements. Most members receive alerts 24 hours before public release, while a smaller elite group is notified five days in advance. Dustin Childs, a MAPP participant and security lead at Trend Micro, confirmed SharePoint vulnerabilities were shared ahead of the July 7 patch date, admitting, “The possibility of a leak has certainly crossed our minds,” labeling it a “dire threat” to the program’s integrity.
The vulnerabilities were first revealed in May by Vietnamese researcher Dinh Ho Anh Khoa during the Pwn2Own conference. Microsoft began developing patches shortly after. Yet, attackers struck a day before the public release, hinting at insider access.
Experts argue it’s unlikely that attackers independently found the bugs. Jim Walter, senior threat researcher at SentinelOne, cited a 2012 case where Microsoft removed a Chinese company from MAPP for prematurely leaking data.
This isn’t the first breach tied to Chinese partners. In 2021, vulnerabilities in Exchange servers shared through MAPP were exploited in a global attack linked to the espionage group Hafnium. While Microsoft considered reforms after that breach, no major changes have been made public.
Adding to the concern, many Chinese cybersecurity companies in MAPP are also part of China’s state-run vulnerability database under the Ministry of State Security. Experts like Eugenio Benincasa of ETH Zurich’s Center for Security Studies warn this overlap poses transparency risks and raises serious questions about divided loyalties between corporate partners and national obligations.
