New Report Reveals Microsoft Employed China-Based Engineers for SharePoint Support and Bug Fixes

A recent investigation has uncovered that Microsoft employed engineers based in China to maintain and support SharePoint software, the same collaboration platform that was recently compromised by state-sponsored hackers from China. This revelation raises significant concerns regarding cybersecurity practices and potential insider threats within critical infrastructure systems utilised by numerous government agencies and private companies. The cybersecurity incident, disclosed by Microsoft last month, involved sophisticated attacks on SharePoint “OnPrem” installations that began as early as July 7, 2025. Chinese hackers successfully exploited vulnerabilities in the on-premises version of SharePoint, gaining unauthorised access to computer systems across multiple high-profile targets, including the National Nuclear Security Administration and the Department of Homeland Security. The attack showcased advanced persistent threat capabilities, with hackers managing to maintain access even after Microsoft’s initial security patch was released on July 8. Analysts from ProPublica identified a concerning operational structure through internal Microsoft work-tracking system screenshots, revealing that China-based engineering teams had been responsible for SharePoint maintenance and bug fixes for several years.

This discovery adds a troubling dimension to the security breach, as the same personnel tasked with maintaining the software’s integrity may have inadvertently created vulnerabilities that adversaries could exploit. The technical scope of the vulnerability was extensive, with the U.S. Cybersecurity and Infrastructure Security Agency confirming that the exploits enabled attackers to fully access SharePoint content, including file systems and internal configurations, and execute code over the network. The attack vector allowed for remote code execution, effectively granting hackers administrative privileges over compromised systems. The SharePoint exploit demonstrated sophisticated persistence tactics that allowed attackers to maintain access even after initial remediation efforts. When Microsoft released the first security patch on July 8, the threat actors quickly adapted their methods to bypass the new protections, compelling the company to develop additional, more robust protections in subsequent patches. The persistence mechanism likely involved embedding malicious code within SharePoint’s configuration files and leveraging the platform’s extensive file system access capabilities. Attackers could establish backdoors by modifying authentication modules or creating hidden administrative accounts within the SharePoint infrastructure, enabling sustained access to sensitive government and corporate data while remaining undetected by standard security monitoring tools. Microsoft has acknowledged the security implications and announced plans to relocate China-based support operations. 

Categories: Cybersecurity Threats, Insider Risks, Software Vulnerabilities 

Tags: Microsoft, SharePoint, Cybersecurity, Insider Threats, Chinese Hackers, Vulnerabilities, Remote Code Execution, Persistence Mechanisms, Security Patch, Critical Infrastructure