Hackers have been exploiting a vulnerability to attack SharePoint and connected Microsoft services in what will be a big problem for corporate Mac users this week.

Microsoft's productivity tools are widely used throughout the corporate world, with SharePoint being one of the most important for collaboration. However, the reliance on Microsoft's SharePoint is now an issue, thanks to the efforts of hackers.

Starting from Saturday, Microsoft has that it had encountered active attacks against SharePoint servers. These included attacks on "on-premises SharePoint Server customers," namely servers in corporate environments using SharePoint.

Microsoft also stresses that this is only affecting SharePoint Servers, and not SharePoint Online as part of Microsoft 365. This means the attacks are more likely to be occurring against servers used by major entities and governments who actively need to host their own servers.

As a result of the attacks, the companies stand to potentially deal with the theft of data from the servers and connected systems, the pulling of passwords, and the reuse of credentials to attack other parts of the corporate network. Connected services used within the organizations, such as Outlook and OneDrive, are also at risk.

The U.S. government and law enforcement in Canada and Australia are investigating the attack, the Washington Post.

Exploiting a vulnerability

The attacks were initially spotted by Eye Security on with remote code execution detected on SharePoint servers. It was a chain based on two bugs discovered as part of a Pwn2Own hacking contest in May.

The bugs allowed an attacker to access the SharePoint servers without needing authentication. CISA from Microsoft about the vulnerability on July 20.

While they were considered proof of concept and no public code was released at the time, they were still granted CVE numbers and are referred to as ToolShell.

Microsoft has partially addressed the issue with patches for SharePoint 2019 and SharePoint Subscription Edition. It is also working on more security updates for both SharePoint 2019 and SharePoint 2016.

How Mac users can protect themselves

As the attack affects a corporate server rather than infecting a system, Mac users and other computer users will not find their personal systems directly affected. Indirect issues involving servers they may use are another matter.

A green desktop computer with Apple logo, wireless keyboard, mouse, and headphones on a wooden stand under soft lighting. Mac users should stay vigilant, but not worry about their hardware

Since an attacker can steal credentials from the SharePoint server, it's possible that they can regain access to the server after it has been patched and secured. Server administrators, therefore, need to be highly vigilant and more careful when locking down systems and dealing with user access.

Beyond the usual digital hygiene advice relating to downloads, suspicious links, and other typical warnings, the intrusions offer a new danger to typical users. Since an attacker could have acquired credentials for users, they could send messages to others on the corporate network that seem to be completely legitimate.

To an unaware user who may believe the email is genuine because it's coming from a legitimate corporate account, they may be more likely to trust whatever is in the message, even if it's a link to a dodgy website.

End users must also be hyper vigilant, especially if they have access to a large corporate-run internal SharePoint server.