Microsoft is probing whether a leak from its Microsoft Active Protections Program (MAPP)—an early warning system for cybersecurity partners—may have enabled Chinese hackers to exploit unpatched vulnerabilities in its SharePoint server software.
The tech firm’s latest patch failed to fully resolve a critical flaw, exposing the tech giant’s systems to a sophisticated global cyber espionage campaign.
In a blog post on Tuesday, Microsoft said the exploitation is being carried out by two Chinese state-affiliated groups, Linen Typhoon and Violet Typhoon, alongside a third group, also believed to be based in China.
Microsoft probes suspected leak from cybersecurity partner program
The company is now investigating whether details from its MAPP program—shared with partners ahead of public patch releases—may have been leaked, accelerating the spread of these attacks.
Microsoft confirmed that it “continually evaluates the efficacy and security of all of our partner programs and makes the necessary improvements as needed.”
The SharePoint vulnerability first came to light in May when Vietnamese security researcher Dinh Ho Anh Khoa demonstrated it at the Pwn2Own cybersecurity conference in Berlin, organized by Trend Micro’s Zero Day Initiative. Khoa was awarded $100,000, and Microsoft issued an initial patch in July.
However, Dustin Childs, head of threat awareness at Trend Micro, said that MAPP partners had been informed of the vulnerability across three waves—June 24, July 3, and July 7. Coincidentally, Microsoft noted the first exploit attempts began on July 7.
Childs suggested the most likely scenario is that “someone in the MAPP program used that information to create the exploits.” While he didn’t name any vendor, he noted the exploit attempts originated mostly from China, making it “reasonable to speculate” the leak came from a company in that region.
This is not the first time Microsoft has dealt with this kind of MAPP-related leak. A decade ago, the firm jettisoned China-headquartered Hangzhou DPTech Technologies Co., Ltd., for violating its nondisclosure agreement. Microsoft admitted at the time that there were risks and understood that vulnerable data could be abused.
The MAPP program, which debuted in 2008, was intended to provide security vendors with advance notice of the technical details of vulnerabilities — and, on occasion, sample proof-of-concept code — so they could better protect their customers. A leaked breach now would fly directly in the face of the program’s mission—empowering defenders, not attackers.
Microsoft has not disclosed whether it has identified the source of the leak, but emphasized that any NDA breach would be taken seriously.
Past breaches resurface as Microsoft reconsiders MAPP program integrity
In 2021, Microsoft suspected at least two other Chinese MAPP partners of leaking information about vulnerabilities in its Exchange servers. This led to a global hacking campaign that Microsoft attributed to a Chinese espionage group called Hafnium. It was one of the firm’s worst breaches ever—tens of thousands of exchange servers were hacked, including at the European Banking Authority and the Norwegian Parliament.
After the 2021 incident, the company considered revising the MAPP program. But it did not disclose whether any changes were ultimately made, or whether any leaks were discovered.
Under a 2021 Chinese law, companies and security researchers must report newly discovered vulnerabilities to the Ministry of Industry and Information Technology within 48 hours, according to a report by the Atlantic Council. Some Chinese firms still involved in MAPP, such as Beijing CyberKunlun Technology Co Ltd., also participate in the China National Vulnerability Database—run by the Ministry of State Security—raising further concerns about dual reporting obligations.
Eugenio Benincasa, a researcher at ETH Zurich’s Center for Security Studies, points to the lack of transparency in how Chinese companies reconcile Microsoft’s confidentiality rules with state reporting mandates. “We know some of these firms work with security agencies, and China’s vulnerability management is highly centralized,” he said. “This is an area that clearly needs more scrutiny.”
