Cyberattack Targets African Treasury, Corporations, and University via Microsoft SharePoint Zero-Day Vulnerability

A sophisticated global cyberattack exploiting critical vulnerabilities in Microsoft SharePoint servers has compromised approximately 400 entities worldwide, with significant impact across South African government agencies, corporations, and educational institutions.

The breach, initially detected by Dutch cybersecurity firm Eye Security, represents one of the most widespread attacks targeting on-premise SharePoint infrastructure in recent months.

Global Scale of SharePoint Exploitation

The cyberattack campaign has predominantly affected organizations in the United States, though substantial numbers of victims have been identified in Mauritius, Jordan, South Africa, and the Netherlands.

Eye Security’s investigation reveals that hackers have systematically targeted vulnerabilities in Microsoft’s widely used collaboration platform, exploiting weaknesses in on-premise SharePoint server configurations rather than cloud-hosted instances.

In South Africa specifically, the attack has compromised diverse sectors, including automotive manufacturing, higher education, and multiple government levels.

According to Eye Security co-owner Vaisha Bernard, confirmed victims include “an organisation in the car-manufacturing industry, a university, several local-government entities and a federal government entity,” with two additional unnamed organizations also breached.

The comprehensive nature of these intrusions suggests attackers conducted reconnaissance to identify high-value targets across critical infrastructure sectors.

Treasury Infrastructure Compromised

South Africa’s National Treasury has officially acknowledged detecting malware within its systems, specifically affecting its Infrastructure Reporting Model website.

The Treasury confirmed it is actively collaborating with Microsoft Corporation to address the security incident and assess potential data exposure.

Notably, Treasury officials emphasized that despite the malware detection, no operational system disruptions have occurred, suggesting either early detection or successful containment of the attack’s impact.

The incident details have been formally reported to South Africa’s Computer Security Incident Response Team (CSIRT) for comprehensive investigation and threat analysis.

This collaboration between government entities and cybersecurity professionals highlights the coordinated response approach necessary for addressing sophisticated nation-state or criminal cyber operations.

Technical Vulnerability and Microsoft Response

The current attack wave specifically exploits vulnerabilities in on-premise SharePoint server deployments, ironically targeting the very infrastructure that organizations implement for enhanced security control.

Many institutions prefer on-premise SharePoint hosting to maintain data sovereignty and implement additional security layers, making this targeted exploitation particularly concerning for enterprise security strategies.

Microsoft has confirmed that the attacks affect clients running on-premise SharePoint servers rather than Microsoft-managed cloud instances. However, the company has not yet provided detailed technical advisories or patch information.

The distinction between on-premise and cloud vulnerabilities suggests that organizations maintaining local SharePoint infrastructure face immediate remediation requirements.

The attack’s scope and sophistication indicate potential state-sponsored or advanced persistent threat actor involvement, requiring comprehensive security assessments across affected sectors to prevent further compromise and data exfiltration.