Another day, another breach. But this one hits differently — because it's targeting the platform that many internal comms teams still rely on to share updates, store protocols, and keep people aligned: SharePoint.

On July 21, Microsoft confirmed a global cyberattack exploiting a zero-day vulnerability in on-premises SharePoint servers (CVE-2025-53770).

Over 85 servers were compromised — including those of U.S. state agencies, universities, energy companies, and European governments. And if you’re still using an older, unpatched SharePoint version, your system might already be on that list.

Let’s break down what happened — and what it means if you’re in internal comms.

What happened?

Hackers exploited a critical zero-day flaw in on-prem SharePoint servers — a vulnerability Microsoft hadn’t patched yet. The breach allowed attackers to gain admin-level access without needing a login. Once inside, they:

• Stole cryptographic keys (which can keep giving them access even after patching)
• Accessed sensitive documents and internal files
• Potentially altered or deleted content without detection
• Bypassed MFA, SSO, and other identity controls

The attack is still under investigation by U.S., Canadian, and Australian authorities.

What does it mean?

If your company uses SharePoint to host or share internal documents — training materials, safety protocols, HR files — that content might be exposed. And even if you patch today, if attackers already stole your keys, they might still have access tomorrow.

According to multiple sources:

Pushing out a patch doesn’t help anyone who was compromised in the last 72 hours.

This isn’t just a one-time event. It’s a wake-up call.

Who’s affected?

Confirmed breaches include:

• U.S. federal and state agencies
• Universities (including public school networks)
• Energy providers
• Telecom companies across Asia
• European government agencies

Some states reported their public document repositories were hijacked, leaving agencies unable to access their own files. Researchers say tens of thousands of servers remain vulnerable.

If your company uses SharePoint… should you worry?

If you’re using an older on-prem version of SharePoint? Yes. You should be very, very concerned — especially if it’s exposed to the internet.

Why?

• There's no patch (yet) for certain versions (like SharePoint 2016).
• Hackers may already have stolen your cryptographic keys, meaning patching alone won’t save you.
• Even training documents and safety protocols can be weaponized if altered by a third party.

What should internal comms do right now?

You don’t need to become a cybersecurity expert. But if your communication infrastructure was built on SharePoint? You’re in this.

Here’s your action checklist:

• Work with IT to confirm whether your SharePoint is on-prem or cloud (cloud isn’t affected).
• Remove any confidential documents, safety protocols, compliance policies, or proprietary training content from vulnerable servers.
• Assume content could be altered. Communicate clearly to teams what’s safe to use — and what’s temporarily off-limits.
• Enable an alternate communication channel (hello, email or mobile app) while SharePoint is being secured.
• Ask your security team: Have machine keys been rotated? Was anything suspicious detected in the logs?

What to do if your SharePoint was compromised?!?

You confirmed (or strongly suspect) your SharePoint was breached. Now what?

Here's what to do — split between Internal Comms and IT:

As Internal Comms:

• Communicate transparently with employees — share only verified facts.
• Use alternate channels (like email, SMS, or a dedicated app) to keep teams informed.
• Flag any content previously accessed via SharePoint that may be unreliable or outdated.
• Work closely with IT to understand timelines and share updates without causing panic.

As IT:

• Isolate the affected server immediately.
• Rotate all machine keys and credentials.
• Search for indicators of compromise, including the malicious spinstall0.aspx file.
• Apply emergency patches if available and enable AMSI.
• Coordinate with comms to keep messaging aligned and accurate.

So... now what?

You could patch and pray. Or — you could treat this as the sign it is. SharePoint wasn’t built for internal comms. And it definitely wasn’t built for modern threats.

A safer alternative? That’s us

Speakap is a mobile-first, secure employee experience platform built for internal communication. And dare we say a better alternative to SharePoint. It helps companies:

• Reach frontline workers instantly — even without email
• Share structured, targeted updates
• Keep control with smart permissions and clear hierarchy
• Track engagement in real time

All while staying compliant (ISO27001 certified, GDPR aligned).

Why companies are migrating to Speakap

Speakap is:

• Mobile-first: Reaches frontline employees, even without company email
• Secure by design: ISO27001 certified and GDPR compliant
• Structured and scalable: Custom permissions, user roles, and hierarchy logic
• Comms-friendly: No IT degree required to send updates, post news, or track engagement

And yes, moving from SharePoint is easier than you think. Get in touch with us and we'd love to tell you all about it.

Don’t wait until you’re breached to act.

The risk is real. The solution is simple. The time to move is now.

‍