On July 25, 2025, Bloomberg reported that Microsoft is investigating whether a leak from its Microsoft Active Protections Program (MAPP) allowed Chinese hackers to exploit a SharePoint vulnerability before a patch was released. Microsoft attributed the campaign – dubbed “ToolShell” after the custom remote access trojan used – to three China-linked threat actors: Linen Typhoon, Violet Typhoon, and Storm-2603. The attackers reportedly compromised over 400 organizations worldwide, including the U.S. National Nuclear Security Administration.

Launched in 2008, MAPP is designed to reduce the time between the discovery of a vulnerability and the deployment of patches. By giving trusted security vendors early access to technical details about upcoming patches, Microsoft enables them to release protections (such as antivirus signatures and intrusion detection rules) in sync with its monthly updates. The program, however, relies on strict compliance with non-disclosure agreements and the secure …