South African treasury among targets in global Microsoft SharePoint exploit

A wave of cyberattacks exploiting a Microsoft SharePoint flaw has impacted around 400 organizations worldwide, including government bodies, companies, and a university in South Africa.

A major global cyberattack leveraging a security vulnerability in Microsoft SharePoint servers has affected hundreds of organizations worldwide, including multiple victims in South Africa.

According to Eye Security, a Dutch cybersecurity firm that initially flagged the wave of intrusions, at least 400 entities have been compromised globally. These include government departments, private companies, and academic institutions. While the full scale of the breach remains unclear, most affected organizations are based in the United States, with other cases reported in Mauritius, Jordan, South Africa, and the Netherlands.

In South Africa, the threat has reached a wide range of sectors. “We’ve observed incidents involving a university, a car manufacturing firm, several local government units, and a national government agency,” said Vaisha Bernard, co-owner of Eye Security. Two additional South African organizations were also reportedly targeted, though their identities were not disclosed.

The details of the attack have been shared with South Africa’s national Computer Security Incident Response Team (CSIRT) for further investigation.

The National Treasury confirmed on Wednesday that malware was detected in its systems, specifically on the Infrastructure Reporting Model website. However, officials reassured the public that no operational disruptions have occurred. “All National Treasury systems and websites remain fully functional,” the department said in a statement.

Separately, the South African Reserve Bank stated there had been no breach of its infrastructure.

Microsoft SharePoint, widely used across South African institutions and businesses, allows teams to store, manage and share documents. Many organizations opt to run the software on-premises to retain control over their data and add a layer of security. However, Microsoft has warned that attackers are now specifically targeting these self-managed SharePoint environments, rather than cloud-hosted versions.

Microsoft has not yet issued a public response regarding the ongoing attacks.