Microsoft has stopped sharing proof-of-concept (PoC) exploit code with Chinese firms via its Microsoft Active Protections Program (MAPP) following a major SharePoint zero-day leak and mass exploitation in July 2025. Instead, these firms will now receive only written bug descriptions to reduce the risk of future abuse.
MAPP typically provides early vulnerability details to trusted vendors under NDA, allowing them to prepare defenses before public patches. However, after over 400 SharePoint servers were compromised linked to China-based groups Linen Typhoon, Violet Typhoon, and Storm-2603 Microsoft tightened its disclosure policy.
Attackers exploited flaws using POST requests to SharePoint’s ToolPane endpoint, deploying malicious scripts to steal cryptographic keys. Microsoft warned that more threat actors are adopting these tactics and urged immediate patching of vulnerable systems.
The breach raised concerns about leaks from MAPP, prompting Microsoft to review and suspend violators. The company also released indicators of compromise and detection tools to help defenders respond.
Found this article interesting? Follow us on X(Twitter) ,Threads and FaceBook to read more exclusive content we post.
