Welcome to the CAVEAT Weekly Newsletter, where we break down some of the major developments and happenings occurring worldwide when discussing cybersecurity, privacy, digital surveillance, and technology policy.
At 1,850 words, this briefing is about a 9-minute read.
At a glance.
- Microsoft SharePoint vulnerability potentially exposes thousands.
- UK cracks down on ransomware.
Microsoft SharePoint vulnerability exposes thousands of firms.
The news.
Over the weekend, Microsoft SharePoint servers were targeted in a global zero-day cyberattack, impacting thousands of businesses and government agencies. The attack is related to a Microsoft security patch released in May that partially failed to fix a critical flaw in the SharePoint server software. Google investigated the attack traffic and believes that some of the hacks are connected to a “China-nexus threat actor."
Rafe Pilling, the Director of Threat Intelligence at Sophos, commented that “based on the consistency of the tradecraft seen across observed attacks, the campaign launched on Friday appears to be a single actor.” So far, the attack compromised roughly 100 different organizations over the weekend, with thousands of others now vulnerable to attack.
In its original alert, Microsoft stated that they have “been coordinating closely with CISA, DOD Cyber Defense Command, and key cybersecurity partners globally throughout our response. Microsoft also emphasized that these attacks were targeting self-hosted SharePoint servers and that SharePoint servers operating on Microsoft servers were unaffected. Microsoft has issued security updates to address the vulnerabilities and has urged customers to install them immediately.
The knowledge.
With this zero-day attack, security experts believe that malicious actors are able to penetrate vulnerable servers with the potential ability to create secure backdoor access into a victim’s network. Though the scope of this attack and how it occurred are not yet clear, this attack adds to Microsoft’s growing list of high-profile cybersecurity incidents in recent years.
In 2023, Storm-0558 compromised Microsoft’s Exchange mail services, gaining access to over 22 organizations and over 500 individual inboxes across the world. More specifically, Storm-0558 was able “to gain full access to essentially any Exchange Online account anywhere in the world.”
After the incident, the Cyber Safety Review Board (CSRB) conducted an incident assessment and published its findings. In their report, the board concluded:
- Microsoft had a series of cascading, avoidable errors that allowed this intrusion to succeed.
- Microsoft failed to detect the compromise on its own and instead relied on customer outreach to find anomalies.
- The board found that Microsoft was not following the security practices found at other cloud security providers.
The CSRB also emphasized that, given Microsoft’s central role in national security, the company must be held to the highest standards of security, accountability, and transparency.
Soon after this incident, Microsoft announced that it had also been successfully breached by a Russian state-sponsored actor, Midnight Blizzard, via a password spray attack. From this attack, Midnight Blizzard was able to gain a foothold, gaining access to senior leadership accounts as well as exfiltrating data. This exfiltrated data did include correspondence between government officials and the company.
In response to these incidents, the House Homeland Security Committee held a hearing with Microsoft to address the security lapses. While Representatives did acknowledge Microsoft's deeply entrenched connections with federal systems, Representatives routinely expressed the need for greater accountability. Alongside this hearing, Senators Erin Schmitt and Ron Wyden wrote to the Pentagon, highlighting their concerns about plans to further invest in Microsoft products in the wake of these incidents. The two wrote:
“Although we welcome the Department’s decision to invest in greater cybersecurity, we are deeply concerned that DoD is choosing not to pursue a multi-vendor approach that would result in greater competition, lower long-term costs, and better outcomes related to cybersecurity.”
The impact.
For companies that utilize self-hosted SharePoint servers, Microsoft has published remediation steps. Organizations that host SharePoint servers should follow Microsoft’s patching guidelines. Additionally, organizations should monitor their network for any signs of compromise and continue to monitor the incident for new updates or patches related to the vulnerability.
UK targets ransomware.
The news.
On Tuesday, the United Kingdom (UK) announced a new proposal that aims to tighten the regulations for handling ransomware. The plan introduces two key measures:
- A ban on ransom payments by public sector entities and critical infrastructure operators.
- A mandatory notification requirement for businesses not covered by this ban who plan to pay a ransom.
Furthermore, the UK government also emphasized that after reporting the incident, the government would assist businesses in providing advice, support, and notify them if a payment would break any relevant laws.
Outside of this effort, the UK also announced that it is developing mandatory reporting requirements. These requirements aim to provide law enforcement with better intelligence to target perpetrators and disrupt ransomware activities.
UK Security Minister Dan Jarvis stated:
“Ransomware is a predatory crime that puts the public at risk, wrecks livelihoods, and threatens the services we depend on…We are sending a clear signal that the UK is united in the fight against ransomware.”
The knowledge.
While ransomware is not a new phenomenon, the severity and frequency of these attacks are becoming more commonplace. In 2024, IBM reported that there was a 56% increase in the activity of ransomware groups alongside the growing usage of Ransomware-as-a-Service (RaaS).
Rapid7 found troubling trends, including:
- The average ransom payment in Q3 2024 was $479,237
- The median ransom payment in Q3 2024 was $200,000
- Median percentage of companies that pay is 32%
Rapid7 also found that there has been a proliferation in groups, along with evidence that existing groups are splintering and rebranding. Alongside more ransomware groups forming, Rapid7 also discovered a worrisome trend where groups are oftentimes demanding multiple payments for data release, encryption keys, or to prevent further attacks.
Given both the rise in volume and the growing financial impacts that ransomware groups are having on both private and public sector organizations, it is not surprising that governments are looking for ways to address this issue. Alongside statistical evidence, UK retailers were also targeted in a severe ransomware attack.
In May 2025, Marks & Spencer and the Co-op Group were targeted by ransomware, which disrupted services for weeks and caused losses estimated in the hundreds of millions. Though UK law enforcement has made arrests, the fallout of these attacks underscores the greater need for better ransomware defense.
The impact.
Though not yet enacted, this new proposal signals a new stance from the UK government when it comes to addressing ransomware. By banning some ransom payments and increasing transparency requirements, the government is looking to undermine the ransomware economy. It will take time to determine the efficacy of this new approach, but it could prove to be a model for other nations.
For UK-based organizations, people should understand the new restrictions and requirements this proposal would impose on them if instituted. Alongside this, organizations, in general, should understand that ransomware is only becoming more mainstream. By ensuring backups are in place, utilizing strong security tools, and having action plans, organizations can be better prepared for ransomware threats.
Highlighting key conversations.
In this week’s Caveat Podcast, our team discusses the role of artificial intelligence (AI) in courtrooms. This discussion emerged after a Georgia attorney cited both fictitious and irrelevant cases in a divorce case. While it is unclear if Lynch used AI, the incident has prompted the broader conversation regarding how courts will handle AI “hallucinations” in legal filings. Alongside this story, our team also examined the Cybersecurity Information Sharing Act, which is set to expire on September 30th, 2025. Despite widespread support from the Trump administration, the private sector, and Congress, the law faces an uncertain future as Congress prepares to enter its August recess.
Like what you read, and curious about the conversation? Head over to the Caveat Podcast for the full scoop and additional compelling insights. Our Caveat Podcast is a weekly show where we discuss topics related to surveillance, digital privacy, cybersecurity law, and policy. Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com. Hope to hear from you.
Other noteworthy stories.
Microsoft is likely to sign EU AI code of practice.
What: Microsoft prepares to sign the European Union (EU) AI code of practice.
Why: Last week, Microsoft announced that the company will likely sign the EU’s code of practice. This voluntary code of practice aims to help companies comply with the region’s AI rules.
Microsoft’s President, Brad Smith, stated:
“I think it’s likely we will sign. We need to read the documents. Our goal is to find a way to be supportive, and at the same time, one of the things we really welcome is the direct engagement by the AI Office with industry.”
However, Meta renewed its criticism of the code. Joel Kaplan, Meta’s chief global affairs officer, stated:
“Meta won’t be signing it. This code introduces a number of legal uncertainties for model developers, as well as measures which go far beyond the scope of the AI Act. We share concerns…that this over-reach will throttle the development and deployment of frontier AI models in Europe, and stunt European companies looking to build businesses on top of them.”
Trump signs the GENIUS Act.
What: President Trump signs the GENIUS Act into law to normalize stablecoins.
Why: Over the weekend, President Trump signed the GENIUS Act into law. The GENIUS Act establishes the first comprehensive regulatory guidelines for stablecoins in the US. More specifically, the GENIUS Act implements:
- Auditing requirements, where issuers must release periodic public disclosures and submit to routine reserve audits.
- Consumer protections, which mandate that holders get priority over creditors if a stablecoin issuer goes bankrupt.
- Stablecoin backing and redemption standards, which require issuers to hold 100% reserves in cash, US Treasury securities, or similar securities.
- Licensing and oversight requirements mandating that issuing companies register with a federal authority and that companies with over $10 billion in stablecoin be subjected to federal oversight.
Meta and investors settle.
What: Meta settled its $8 billion lawsuit related to privacy violations.
Why: Last week, Meta settled a lawsuit between itself and its investors. The lawsuit began with shareholders seeking $8 billion over alleged violations of a 2012 agreement that the company made with the Federal Trade Commission (FTC).
While the settlement will avoid a difficult case for plaintiffs, experts emphasized that the case would have also brought greater accountability. Jason Kint, the head of Digital Content Next, commented that “this settlement may bring relief to the parties involved, but it’s a missed opportunity for public accountability.”
This case was related to the 2016 Cambridge Analytica scandal, which scraped data from millions of Facebook users without their consent. While the FTC did impose a $5 billion fine in 2019, the lawsuit was aiming to seek further damages and prove that the board was negligent in its duties.