Analysis

Microsoft (MSFT) has disclosed a significant, active cybersecurity campaign by a suspected China-based threat actor, Storm-2603, which is exploiting two critical vulnerabilities (CVE-2025-49706 and CVE-2025-49704) in its on-premises SharePoint Server software. The attack, which has already impacted at least 400 victims, culminates in the deployment of Warlock ransomware, indicating a financially motivated operation with a high degree of technical sophistication. The attack methodology involves disabling Microsoft's own Defender protections, harvesting credentials using Mimikatz, and achieving network persistence, underscoring the severity of the threat. The strongly negative sentiment for Microsoft (ticker sentiment: -0.7) reflects the reputational risk associated with a flagship enterprise product being compromised on such a large scale. While Microsoft is actively providing threat intelligence and mitigation guidance, this event highlights the persistent security vulnerabilities in legacy on-premises infrastructure, which could serve as a catalyst for customers to accelerate migration to Microsoft's more secure, higher-margin cloud-based platforms. The involvement of other state-linked groups and China's official denial adds a layer of geopolitical complexity to the incident.