Microsoft Alerts Businesses and Governments to Critical Server Software Attack.

In July 2025, Microsoft issued a high-priority security alert warning businesses, government agencies, and IT administrators worldwide about a newly discovered and active attack campaign targeting Microsoft server software. The company revealed that a sophisticated hacking group is exploiting previously unknown vulnerabilities in Microsoft Exchange Server and Microsoft SQL Server to gain unauthorized access to corporate and government networks.

This latest cyber threat underscores the growing risk to critical infrastructure and sensitive data. According to Microsoft’s Security Response Center (MSRC), the attackers are taking advantage of a chain of zero-day vulnerabilities — flaws that were unknown to Microsoft before the attacks began — allowing them to execute remote code, move laterally through networks, and steal confidential information undetected. The attacks appear to have started in early June but were only detected after a sharp spike in suspicious activity on cloud-connected servers in late June.

Scope of the Attack

The threat is not limited to one industry or region. Microsoft confirmed that its telemetry has seen exploitation attempts across multiple sectors, including finance, healthcare, defense, energy, and state and municipal governments. Initial analysis suggests that the attackers have already breached hundreds of organizations and are actively scanning for more unpatched servers.

“This is a highly coordinated and well-resourced campaign,” Microsoft stated in its advisory. “We urge all customers using Microsoft Exchange Server (on-premises) and SQL Server to apply the newly released security patches immediately and follow our updated mitigation guidance.”

The company added that the attacks seem to be the work of a state-sponsored group, given the level of sophistication and the sectors being targeted. However, Microsoft declined to name a specific country pending further investigation.

How the Attack Works

According to Microsoft’s technical breakdown, the attack begins when the hackers exploit a vulnerability in Exchange Server’s web interface, allowing them to upload malicious scripts. These scripts then interact with backend SQL servers, exploiting a second vulnerability to escalate privileges and execute arbitrary commands on the system. Once inside the network, the attackers deploy custom malware to maintain persistence and exfiltrate sensitive data.

The malware reportedly uses stealthy techniques, including living-off-the-land binaries (LOLBins) and encrypted communications, making it harder to detect. Some victims reported noticing unusual spikes in outbound traffic to unknown IP addresses, which later were traced to the attackers’ command-and-control servers.

Microsoft’s Response

Within hours of confirming the threat, Microsoft released emergency security updates for affected versions of Exchange Server and SQL Server. These patches fix the vulnerabilities currently being exploited. Additionally, Microsoft published detailed guidance on how to detect signs of compromise, including specific log entries, file hashes, and indicators of compromise (IOCs).

Security experts at Microsoft also updated Defender antivirus definitions and cloud-based threat protection systems to help block the malicious payloads.

Tom Burt, Microsoft’s corporate vice president for customer security, said: “We are working around the clock to protect our customers. We are also sharing information with government partners, security vendors, and law enforcement agencies globally to disrupt this campaign.”

Call to Action for Businesses and Governments

Microsoft strongly urged IT teams to:

Apply the emergency patches without delay.

Review server logs for suspicious activity dating back at least 60 days.

Change administrative credentials and implement multi-factor authentication (MFA) where possible.

Isolate compromised servers and perform a full forensic investigation if any indicators of compromise are found.

Cybersecurity agencies in the U.S., U.K., and Europe have echoed Microsoft’s call for immediate action. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) also issued an emergency directive requiring all federal agencies to apply the fixes and report any breaches.

A Growing Pattern of Attacks

This incident is only the latest in a series of large-scale attacks exploiting weaknesses in widely deployed server software. In recent years, Exchange Server has been targeted by multiple advanced persistent threat (APT) groups, including the notorious Hafnium attacks of 2021. Security analysts warn that as more organizations move workloads to the cloud, attackers are increasingly targeting hybrid environments that still rely on on-premises servers.

“The lesson here is clear,” said a senior analyst at a private security firm. “Organizations cannot afford to delay patching critical systems or ignore alerts. Threat actors are quick to weaponize vulnerabilities, and the window to defend is shrinking.”

Conclusion

Microsoft’s alert serves as a stark reminder of the ever-present cyber risks facing businesses and governments. With attackers becoming more sophisticated and bold, maintaining up-to-date defenses, monitoring networks vigilantly, and having a robust incident response plan are more crucial than ever. By acting swiftly on Microsoft’s guidance, organizations can minimize damage and protect their most sensitive data from falling into the wrong hands.

As investigations continue, Microsoft has promised to share additional findings and best practices to help organizations strengthen their security posture in the face of evolving cyber threats.