https://research.eye.security/sharepoint-under-siege/
https://krebsonsecurity.com/2025/07/microsoft-fix-targets-at...
https://www.bleepingcomputer.com/news/microsoft/microsoft-re...
No one considers Google anything less than an impenetrable fortress, but when it's some government entity responsible for keeping American lives safe it's like "ah yeah they probably have a vulnerable on-prem Sharepoint that could easily be pwned."
So why is this? Why do Microsoft products enjoy a monopoly on the server in these sectors when more secure (Linux-based) options are far cheaper and widely deployed already? Isn't security the number one priority in those spaces?
They don't. There's plenty, even a majority, of non-Windows servers in gov (I know, some depts are true MS shops).
Sharepoint is one of those things that snuck in via the desktop. It was touted by MS as an evolution of shared folders with "Intranet" features included. If you already ran a Windows Server for fileshares, Sharepoint was "free".
The initial few implementations were of extremely poor quality, even by MS standards, but SP was positioned in the MS channel as the future of MS server side application development. So all of the consultancy/sales channel jumped on the SP wagon for any custom server projects.
For developers, it was a nightmare. Underneat the platform was a frankensteinian horror of bits and pieces of resurected code from many departments and projects across MS crudely bolted together with chewing gum scraped of a park bench and bits of string recovered from old fish guts. Lists (SP's core structure for file directories with exposed metadata properties) could not work reliably, the system fell over under even light load, latency was totaly unaceptable even for basic operations, files did not rountrip through the server unchanged ...
Over the years MS cut it down from "the future platform for custom backoffice apps" to "out of the box Intranet with mainly cosmetic configuration options" to "cloud hosted office 365 shared folders".
" Isn't security the number one priority in those spaces?"
No. It's exacly like every other IT environment of comparable size. Security is considered important, but does not drive sales. Features and cost, but also available expertise from the supplier/channel partners dominates the choice. Security is covered by promises and certifications, but more often than not left to operations to patch up.
A huge portion of the desktop and server market are running Windows. It used to be almost all Windows, at least on the desktop. Nowadays mobile computing has become far more important so Windows doesn't have the end user dominance it once did, but there are still a huge portion of end user devices running Windows.
Same on the back end: it's just a big juicy target, and the bang for buck that hackers get from it is huge given how prevalent it remains in corporate and government environments.
SharePoint isn’t Windows. It’s a Microsoft product that’s only available for Windows Server. But it’s not Windows.
The reason I make that distinction is because if you widen the scope of services available on Linux then you might come a lot closer to the same volume of issues.
For example, take a look at how frequently CVEs are raised against popular CMSs.
I mean, Linux isn't even Linux - At the risk of invoking a meme: Linux is actually GNU + Linux; and even then there's a web-server on top, and software that it runs.
So, a working comparison might be Wikipedia? As far as I understand it; that's the largest CMS on the planet.
As mentioned, even if we exclude websites, Linux is a pretty enormous target. Much more enormous than microsoft - by an order of magnitude or more, yet: we don’t seem to have these kind of issues. Curious, don’t you think?
Microsoft’s back office suite is massive. So you’re talking about Nginx + a CMS + online office suite + video conferencing + identity providers and so on and so forth.
There isn’t really a direct comparison in the FOSS world. It’s either smaller in scope or smaller in terms of high profile organisation adoption.
This is why I think it’s easier to ignore the “Linux” part. Not because Linux is technically a kernel, but because there isn’t a directly comparable solution that targets Linux / GNU or whatever other base OS moniker you want to use. Same is true for BSD, Darwin and so on.
The alternatives to Microsoft’s dominance are typically more narrow in scope and usually proprietary too (eg Okta for identities, Google Docs for O365, etc)
Does this mean that Microsoft products are secure? Not really. It just means we cannot make a fair comparison against FOSS when it comes to these specific types of attacks.
Similarly, looking at vulnerability counts by vendor doesn't paint a rosy picture of our largest vendor Microsoft, either. But it pales in comparison to the incident statistics, which speak for themselves.
To Microsoft's credit, they've managed to turn their weaknesses into a secondary industry, wherein they now no longer sell just the disease, they also sell the cure. "Oh, your Windows systems have security problems? Have we told you about our expansive security solutions? They're only an additional $your_budget_doubled per year!"
The protocol was proprietary and an open source implementation in Samba was very slow at catching up. If you decided to host a domain controller using it, you newer knew if a random disconnect was a network issue or the controller or the client.
And here we are. Active directory, or Entra or however they call it these days, is basically a standard way to manage users everywhere. And until a strong entity (EU?) comes up with strong backup towards an alternative solutions (we have plenty of them now), the situation will not change.
You still have Active Directory on premise and now you have EntraID (formerly Azure AD) in the Azure cloud.
For Windows devices, it is the only mechanism supported to have a centralized management system.
For other systems, such as MacOS, you have alternatives that don't require any centralized user database.
Most cloud-native companies today rely on Okta or Amazon Cognito for their applications. Google Workspace supports this too, but it is incredibly basic at what it can do.
I don't think there's nothing that anyone can do to make this different.
And just to nitpick a little, it's like saying the smartphone reduced the camera market because of its dominant position. It didn't, it just provided convenience when there was none (a phone, a camera, a video recorder...).
Money changing hands between suitable people who pop up together at the right social occasions is the priority.
In my experience you only really get fired when the command from top comes to cut X% of the workforce (sometimes this is yearly due to stack ranking systems) but even then the best way to keep your job is not doing a good job. In actuality it is connections (being good friends with your boss)
Not in my experience. Connections are most important than competence in big corporations. The bigger the company the most is works like the old Soviet Union.
The country can't go bankrupt and you just found another one.
Yes, when a country messes up they have to actually fix things, there is no way around it. Except getting merged into another country - like my birth country, the GDR, ended up as West Germany's problem (but its people still had to do the work).
Also, if big enough companies (and banks) fail, it is the same. Not having a string government would not help either, in such cases the companies would be the government, as we saw in even wilder times of huge companies and much less state in the US some century or two ago.
At some point in the hierarchy you have to live with not having omniscience and accept that sometimes things don't work out, and that you can't just walk away from the consequences of those failures.
For small companies, they just look at the "winner"'s operation, not including the "waste" of the other 39 "losers" that failed.
But, for enterprises, the only reasonable migration away from Windows is Mac. JAMF Pro for Mac can be hosted on-premise on Linux. The majority of enterprise software runs on Mac. However, Macs are expensive so it's unlikely to overtake Windows enterprise machine usage.
Hardware support for Linux PCs is poor and lacks the manageable of Windows PCs with Active Directory and GPO, or JAMF for Macs. Enterprise software usually doesn't support Linux. Linux PCs are uncommon for personal use and corporations don't want to train users how to use Linux.
I would dispute the "hardware support" comment. Linux has pretty good hardware support nowadays. And "enterprise" software is a vague term here. For desktop Windows, of course Microsoft will have that covered every which way, but for things such as authentication, authorization and security, Linux has a place. A comment about adding "Redhat" to the mix is not talking about desktops (necessarily) but servers and security.
Buy your linux laptop fleet from Framework, System76, Starlabs etc and you won't have any problems like that. You might have OTHER problems, but not that one.
Even in corporate, there's basically two vendors - Dell, and a distant second Lenovo, with Apple having a foothold in niche usecases.
There’s a reason why corporations use HP and Dell machines. And there’s a reason why HP/Dell/etc don’t have Linux OSes on their corporate client machines. Well, they do, but companies don’t care to order them for the other reasons people have listed here.
You are right that not all devices don't work perfectly, but the Bluetooth headsets, Bluetooth mouses, conference rooms etc. that the company supports are tested for compatibility before being bought by our IT department.
Why would you use RHEL to manage Windows client machines, when you could use Windows Server/Azure and get Microsoft support?
This is a huge factor. There are a lot of people who’ll curl up into a ball if you try and get them to use something new.
Side 1: the workers, especially the labor portion, are extremely resistant to learning new ways to do things unless you can prove, beyond the shadow of doubt, that the new way will be easier than the old way (aka, less to remember/think about) but also does not diminish the quality of their work or increase the perception that their coworkers might see them as having it easier than them.
Side 2: the people responsible for purchasing and resource allocation often do not know what they are buying. In any shop, if you say "we need new PC's for the office" the first thing the purchaser will do is ask a supplier for a deal on a fleet of Dells because that's just what they've always done. If the company is larger and has an actual IT department, they will just provide Windows PCs because that's what they were trained to support. The alternative, Linux, is never considered because they simply don't know anything about it and it's not being offered by their suppliers anyway, so why learn?
Microsoft sure has a lot of warts, but even as a Linux enthusiast, I cannot deny that Outlook "Just Works" with a frankly shocking set of basic stuff. Login for the first time, check your email, hey there's your meeting with your manager on your calendar, and now we can add new events just by putting you in this group, etc etc. There's dozens of little integrations baked in here that a tech enthusiast could feasibly replace in isolation, all of which vanish the moment you turn off the Exchange server or whatever it is. It's way more complex under the hood than most people realize, which is why "ditching Microsoft" so often turns into "Adopting Google Apps", as they have a similar turnkey solution to most of the same problems.
Not meaning to be a big ball of negativity, but as I haven't really explored here... in the FOSS space, what is the equivalent? Which tools are the most polished, and what server backends could be hosted on-prem to gain the same basic integrations with login, email, calendar, chat, and video conferencing?
Everyone above middle-manager level lives in meetings, which means that the calendar is a critical piece of productivity software for them, and they want the comforting familiarity of Outlook. Which means they get to impose that on a whole organization.
The company that should be doing this kind of integration is Red Hat, but they've never quite managed it.
The open source solution space is probably LDAP and CalDAV, but as you say, nowhere near as conveniently integrated.
AD integration and desktop management solutions rule the Windows desktop. But not Macs in an organization, which are an absolute pain to manage, and yet somehow persist.
Perhaps it's not enough for there to be a "push" to Open Source because you've been failed by a proprietary solution, there needs to be a "pull".
Absolutely. A company isn’t going to create a GitHub issue and wait around. You can’t make service agreements with FOSS. There needs to be market forces to sell this software to corporations and it’s a hard sell.
MS for all its flaws, welcomed, targetted and tried to support scale operations in larger business environments (Imaging, AD, GP, SuS, bitlocker, ...).
Also, if your only fix a hardware problem option was to "visit the 'genious bar'" and wait 6 weeks for a machine to come back, vs the Dell/HP/... service of "same day onsite repair", what is IT going to prefer for client computers?
No. Quick iterations and output output output. Security is one of the least concerns in any company I have ever worked in.
One of the answers should be for the DoD, or any other such military institution, to try and rely a little bit less on everything being "digitilized", or at least to change it all into a more fragmented data/information "archipelago", with no centralised unique source-of-truth.
Hold on, we are talking about SharePoint here. I don't know any software that could replace it, that is allowing office suite to collaborate in a way SharePoint Server does it (versioning, concurrent editing, online editing, workflows, customizations, OneDrive, IRM, compliance, search etc.)
Even in a windows environment. Can you name more secure, cheaper and widely deployed alternative?
Also, even if we do look at cloud: Workspace isn’t bad (exception: sheets vs Excel), but SharePoint is the center of Teams, Power Platform, PowerBI… to replace M365 with Workspace means a lot of research, setup and testing of 3rd party alternatives to the above.
If you’ve ever worked in a well configured Microsoft stack, nothing beats the integration.
There’s no reason to believe Workspace would be more secure if it had the same feature set/integration configured.
Where is the equivalent tech on the Linux side that Red Hat developed? They simply didn't have a competitive enough alternative. Usually anything outside of cloud/web server space, you'd find alternative open-source projects rotting with non-clear ownership and year old last commits. Red Hat and Linux world weren't interested in developing those things. They weren't interested in making competitive user friendly alternatives that enabled non-programmer users. It is hard, thankless, soul crushing work that nobody does anymore since Microsoft bought or eliminated them. There are simply no equivalent alternatives in the open source world because competing with Microsoft requires accepting significant losses as a company for a long time. Google Workspace is a thing only because Google can finance its developers with ad money.
Just having Linux is no golden key to security either. You need to put the exact amount of barriers in front of your on-prem servers regardless of the OS.
The whole security mess is just the symptom of capitalist economy. Most companies give 0 fucks about it because caring about security is costly and time consuming. With the race to the bottom for first-to-market, caring about security is a risk, it is a distraction. They ignore it until they establish a position and maybe their misdeeds become a liability. However, no company got actually severely punished for not caring about security. So it is still seen as cost by many.
For the longest time desktop Linux simply tried to clone Windows/macOS. Eventually Red Hat came to dominate GNOME enough that it developed a bit of its own personality, but the kernel and software distribution approach always held it back from even matching its competitors in usability, which wasn't even close to enough. Apple have executed excellently for decades and even they only made progress in the pure consumer space, the enterprise space is one they never tried to attack despite having the money needed to do so.
Capitalism isn't the problem here. Communist software isn't exactly famous for being impenetrable, in fact it's more famous for hardly existing at all. Google and Apple are highly capitalist, and their security stance is much better. The problems at MS are deeper.
Because there is no FOSS solution even coming close to the level of out-of-the-box integration of Office 365. Thunderbird has zero integration with LibreOffice, LibreOffice has zero integration with Owncloud (or whatever else one might use), neither has integration with a softphone software, much less a backend like Asterisk. And some software like Sharepoint or MS Access doesn't have anything on the FOSS side.
And on top of that, many data exchange formats are not just "old", they're "fossil" and don't even come close to meeting the demands that people have come to expect.
In every single company I have been working in the last 15 years, information was spread across so many different tools that integration was a moot point: Office365, Jira, Confluence, a separate ticketing tool, some mkdocs or single markdown files in repositories, spreadsheets, dedicated HR web portal, intranet, internal blog/comm/social media... Even within Office365 information is stored randomly as office files in sharepoint, teams channels, personnal onedrive, emails, copy/paste in teams, teams channel onedrive synched drivees, onenotes...[1] Also RBAC makes sure that whenever you came across one doc containing link to other stuff, you end up having no access to half of the links
Bottom line the tightest integration doesn't reduce any friction because there is not a single toolsuite that fits every use case and people end up making a mess of everything. You never know where you can find the information and every single teams wiki ends up being a collection of links to a myriad of different places. Also half of the people still email people documents instead of the links because they don't understand anything else.
[1] yes it is in the background the same product but people access them and more importantly know or search the information in totally different ways.
Maybe [0] will be one, eventually, but it would take a long long time to replicate the functionality if it were to ever happen. Best case scenario is that the EU were to fund an open source solution.
[0] https://www.techradar.com/pro/mozilla-launching-thundermail-...
https://arstechnica.com/information-technology/2024/04/germa...
It's interesting to me that you'd go the hassle of hosting your own SharePoint on prem, but leave it internet facing. I would have assumed a the Venn diagram of these organizations to be entirely contained in orgs forcing you to use a VPN.
What a pity that CISA has been purged down of effective useful people and turned into another sad selected-for-political-compliance-only force.
Arizona recently got attacked from Iranian hackers & didn't even bother trying to get help from CISA. https://archive.is/2025.07.19-143305/https://www.azcentral.c...
CISA is so so vital. Investigating incredibly wide ranging attacks like this, or the Salt Typhoon attack are vital for this nation. But the show is being run by a bunch of people who value political dogma far above anything else. https://www.techdirt.com/tag/cisa/
“I’m a terminator.”
Of course, it’s a government. All governments final form is to hurt great masses of people in service of the state’s continuity and the socioeconomic status quo.
That’s the entire reason they exist: to perpetuate themselves at the expense of (and harm to) huge quantities of people, just like a virus.
This is why large corporations like Boeing and Microsoft are so unswerving in their loyalty to them: in reliably serving the regime, they ensure their own survival. It’s like a capitalism cheat code.
The harms here are not the result of some broad faceless force so distributed and ethereal as to avoid accountability. The people performing them know exactly what they are doing. They're choosing to do it, when no systemic factor forces them to. If they wanted to not harm people, they could do so at zero or even negative harm to themselves.
Systems-level thinking is a useful tool, but it can make you miss the trees for the forest when a single concrete human being in front of you is just a bad person.
If only we could rid ourselves from THE EVIL GOVERNMENT, then, only then, will we see the glory of free market capitalism finally serving to the betterment of society.
no ffs its capitalism!
However, the more extreme the system (be it anarchocapitalism or communism), the higher the requirement to the goodness of people.
As is, in current societes I find that the ambient chaos of general democratic capitalism counteracts the threat of small minority making wrong decisions (Mao’s famine, etc.) while strategic regulations help curb bad actors abusing the system (like selling people poison or dumping toxic waste into rivers).
Both are needed, and I usually suspect that people who call for one extreme or the other either have an agenda or have not thought it through. (In the West it is often pro-capitalist tendencies, though I encountered both.)
So you don't do that. You use zero trust and don't care that things are exposed to the internet.
Working from anywhere (remote sites, home, your phone) is a huge benefit. Organizations want to control their data entirely while still wanting their organization to be able to access it.
The NIST Zero Trust Architecture (ZTA) implementation guides (SP 1800-35) [2] cut through the nonsense and AI generated marketing smoke.
In ZTA, ALL network locations are untrusted. Network connections are created by a Policy Engine that creates and tears down tunnels to each resource dynamically using attribute-based-access-controls (ABAC). Per request.
Microsoft doesn’t have any products that can do full ZTA, so several pillars are missing from their “Zero Trust” marketing materials.
[1] https://www.microsoft.com/insidetrack/blog/securing-the-bord...
TBH several pillars are missing from their entire security posture.
It’s a symbiotic relationship that allows them to stop having to spend resources to compete in the market on merit.
What does it mean in technical terms? What kind of tunnels are whose and what is their purpose?
Basically a policy evaluation point (PEP) evaluates the security posture of both parties before and after a handshake, then creates a logical or physical path of some kind of between the actor and the resource. This can be done with software-defined virtual networks and stateful firewalls, at one or more of the OSI layers.
With a VPN the attack surface of this vulnerability would have been miniscule compared to a publicly accessible zero-day RCE
(And it's not like you have to allow carte-blanche access behind the wall)
Defense in depth!
My way of mapping it to VPN mindset is "per app clientless VPNs straight to where the things are hosted". In an extremely open ruleset with all of the servers on a corporate network this could theoretically devolve into "a traditional clientless VPN to the office".
They can be implemented using a variety of technical patterns but they all share a common "each request is authenticated, encrypted" property instead of "anything goes once the tunnel is up" property.
And yet every customer of mine have some of their servers on a VPN. At the very least they enable ssh only on ports on the private network.
The other salient point is that all connections are established outbound through a broker, and importantly this is the case from both sides: The appliance at the terminating end of the tunnel establishes reverse tunnels to the broker for the connections, so it's never "exposed to the internet".
The broker can then push to your SIEM or whatever so you can have your SOC log jockeys harass your employees for accidentally leaving NordVPN on after watching international sports.
There are actual benefits: You can do things like allow logins to system A from anywhere, but system B only from your home country, you can do JIT network access requests, etc... but mostly it's vendor marketing to get you to spend too much money.
In a pure implementation, the same level of trust is implied (absolutely none at all) whether a device is connecting to a resource from the public internet or the same subnet.
It doesn’t matter what network you are connecting from, but it does matter that you’re connecting from a company-issued laptop that’s in a trustworthy state.
It's software your employer pre-installs on your work PC, that asks you to log in with your work SSO credentials, performs some endpoint security checks, then routes your traffic over a virtual network adapter, and thereby allows you to access workplace resources, even when working from home.
The main difference is it adds some semi-authenticated states. Correct device, username, password, and 2FA, but failed a device posture check because they plugged their phone into their laptop to charge it? The 'Zero Trust' system can block some systems, while letting them retain access to others.
The other big difference is the pricing - rather than paying a five-figure sum upfront for networking hardware, you instead pay $25 per employee per month, forever.
this is not a requirement of zero trust.
It likely will be entirely contained, at least in theory. Because is your IT and OT isolated? They should be, but man could I tell you something about the energy and public sectors... Let's just say, that if you're in an organisation with any sort of OT, then you may as well assume that everything you have is facing the internet in some way. I suspect it's frankly like this in any sort of enterprise organisation getting worse the more the org views IT purely as a cost center.
This is why we don't just rely on things like VPNs. Everything we have uses port security (mac-adresses) at a much more ganular level than the VPN does. At least for the parts of our systems landscape where this is possible. With something like SharePoint it's hard to allow specific devices because it's usually something everyone should have some sort of access to. Then you have all the organisations where SharePoint also has some sort of non-VPN access because some CEO level wanted it at one point since they can't be bothered to bring a work PC to their Holiday home.
I never remember thinking years ago how nice it would be to have all of our private docs that we only need to access on our private network accessible to the public. I just wasn’t thinking outside the box enough.
Once upon a time Microsoft marketed it as, and a lot of Orgs adopted SharePoint as their Intranet. With SharePoint 2019 being sunset, a lot of Orgs are scrambling to implement replacements.
Senior VP at CrowdStrike, so a professional in destroying large amounts of systems.
> cybersecurity firm
Sure, might as well call it that.
Some folks wanted SharePoint as their "web server", I would set that installation up entirely separted from all other instances they may have on the network.
It's the go-to warm-up joke whenever someone in the military gives a speech.
> A programming flaw in its cloud services also allowed China-backed hackers to steal email from federal officials. On Friday, Microsoft said it would stop using China-based engineers to support Defense Department cloud-computing programs after a report by investigative outlet ProPublica revealed the practice, prompting Defense Secretary Pete Hegseth to order a review of Pentagon cloud deals.
Anyway, from what I can tell being in this industry, a lot of things need to be explicitly illegal to stop companies from doing it.
Edit: The penalities also have to be meaningful. There's a lot of "technically not legal, but sue us lol" going on.
"Hey, this is a really really stupid idea." Isn't going to stop a middle manager from trying to come in under budget.
At most MS will pay a nominal fine, and proceed to learn nothing.
Would the CCP allow their cloud infra to be administrated by US staff in the US? Never.
AFAIK, the Oauth claims of SharePoint don't allow specifying particular projects only. (BTW: same counts for platforms like ACC/BIM360)
It's patchable, but it's been two times in a row now, and patching is always slow and incomplete.
Seriously, I haven't used it since 2017, but every time I used it then it was the worst part of my day. I used to have a shirt that said SHarepoIT Happens that I would wear to work, and it seemed like the one thing I could get my coworkers agree on was that Sharepoint is terrible and we'd rather use anything else.
Here’s just one example:
Each M365 Teams Team creates an M365 Group which creates a SharePoint site and Exchange mailbox. Teams channel files are stored in that SharePoint site. Teams channel messages are stored in the Exchange mailbox.
Private files dropped in Teams are stored in OneDrive (rebranded SharePoint). Private Teams messages are stored in the sender and recipients’ Exchange mailboxes.
M365 is SharePoint and Exchange. EVERYTHING is built on top.
EDIT: changed ‘individual’ to ‘sender and recipients’
Contacts and voicemail are stored in Exchange.
Diagram of data storage locations: https://youtu.be/V6B4KraD-FM?feature=shared&t=454
M365 Groups are still SharePoint + Exchange.
Why do I have a useless "General" folder in the root of my SharePoint documents, which I can't delete? I don't even have access to Teams, because I'm using the Teams-less M365 subscription for EU users.
Every day I think more and more that I should just switch provider for my small company.
Good lord. It truly is a layer of dung layered upon more layers of dung.
I used to work within the Office group. The way that data is organized in Exchange is mind-boggling -- and not in a good way, IMO. Its design is from decades ago, and trying to understand how to find something really takes a lot of experience. Without going into any gruesome details of how it works, I'll just say that it is a HUGE hurdle to being productive for day-to-day work.
Similarly, I'm not surprised that there's some kooky way that the Teams folks shoehorned their data into the existing Exchange system -- they probably have no other way to operate at that scale without taking years in writing their own database system. (I can't imagine that using SQL Server to do this would be viable, either, given what they want to do and the capabilities already built on top of Exchange.)
I assume you're talking about MAPI, which owes some of its baroque nature to X.400. It definitely comes from another time. It always struck me as over-engineered.
On the other hand, it has also been ridiculously successful.
Using this infra for teams makes sense since it already works well. As one poster said, its probably via some hidden folder.
I wonder what they did with skype, did they actually integrate any of it into teams or just dump it entirely?
There are so many companies and businesses that rely on offline data, or silo'd data than will be tied through their AD LDAP account permission, M365, teams included, is such a better option than hand rolling all of them and praying you configured every service correctly.
Imagine if it was just a hidden (special) folder in an Exchange mailbox.
Voila, you already have a well-known and widely implemented and tested message syncing solution both for content and status (read/unread)
I assume Windows Phone worked the same way with its text message backup. When you'd set up a new phone it would take a while for your Microsoft account to finish syncing during which new messages would trickle into the Messaging app in real time. In fact if your old phone was still on WiFi new messages would show up on both. Still more advanced 15(?!) years ago than my Android today
very slowly
and why the search doesn't work
Nothing works really well nowadays with exchange (classic, new, web, ...) or Teams. It is a complex layer based on sharepoint, that was not designed for that, because OneDrive is so bad that they have absolutely no way to manage a proper sharing of files between multiple persons, and so even less between teams and orgs.
I once figured out that you can go to the permissions page on the SharePoint site created by Teams and remove access for the corresponding M365 group.
M365 relies on SharePoint and Exchange, but they don’t rely on M365. So, you can potentially break Teams.
The sales pitch was that they could upload documents to SharePoint and when people downloaded the documents SharePoint would automatically apply DRM so the documents could only be opened by that person on authorised machines for a specified number of days.
Well, it turned out depending on how you logged in (using the same account, just different login forms) on the SharePoint server it would either give you the files with DRM applied - or the completely unrestricted files.
We got some senior Microsoft consultant working directly for Microsoft to look at it but in the end they were just as confused as us.
I have worked at an org that did the same. We already had Confluence. Somebody decided we needed Sharepoint. We licensed and installed it. Six months later we migrated the handful of documents and files and decommissioned it.
probably so. every corp I've worked for that had Sharepoint used it religiously. that is a whopping 3 different companies, but > 1 anecdotal experience. to be fair though, 2 of the 3 companies used it because the same person was at both companies and was responsible for using it at both companies during their tenure.
The fact that Sharepoint sucks* doesn’t matter… because anything else is seen as a risk.
* folders with lots of files are hard to scroll through because each page is lazy loaded, the automation functions are buggy, logins between different M365 tenants breaks and is not correctable by a normal site admin, human readable URL paths aren’t standard, search is shit, tables/filters are buggy, the new interface hides a bunch of the permissions logic, some things like permission groups need to be managed via outlook, etc etc. I’m sure a bunch of my gripes are technically fixable, but these aren’t things that should need a web search in order to use/fix.
Teams is actually SharePoint.
It ain't going anywhere
This is actually a great day for Microsoft. People will come to their cloud solutions in troves after this and everyone will be happy. Maybe not everyone, but Microsoft for sure.
The only reason to get downvotes is nonsense of prefacing the post with the 'worry'. Sharepoint would be far from a first choice under normal circumstances (e.g. not bundled with excel and friends)
nevertheless, even NFS is better than sharepoint. At least, NFS works...
How is this auditable?
"The process took six hours Saturday night — much longer than it otherwise would have, because the threat-intelligence and incident-response teams have been cut by 65 percent as CISA slashed funding, Rose said."
One does wonder whether this was all part of Musk's vision, or more thanks to the scum he hired to staff Dog coin and/or other lawless opportunists in the Trump administration.
[1] https://www.washingtonpost.com/immigration/2025/04/16/medica...
[2] https://www.reuters.com/technology/cybersecurity/whistleblow...
That anyone gives a word they say the time of day is actually crazy.
The problem is that while common sense would dictate those nonsensical expenses as such, they were part of the official process, so it was all legalized, so they avoid the FWA labels because the rule writers have made it so.
Interest is trivially accounted for. We know how much debt is outstanding.
Social Security and Medicare expenditures are well within 5% of what should be expected, given the total population of the US and its age distribution.
Your God Awful amount of waste, fraud and abuse reduces to a fraction of a fraction of the total budget. A tiny fraction of a big number may be a big number, but it simply doesn't matter structurally.
The only way out is to cancel the entire military, slash social security or raise taxes. The rest of the stuff (even if it is purely waste with no useful purpose) simply doesn't add up to enough dollars to fix the budget.
I know this isn't what anyone wants to hear, but numbers are numbers and you can't just wish away unpleasant realities.
Of course in proper propagandist fashion, we only ever hear about how much money the undeserving poors got, and nothing about the millions upon millions of dollars in loans given to private businesses and their owners that were definitely, 100% used for them to weather the pandemic, and later forgiven despite being explicitly loans.
Things are so complex we have critical bugs everywhere that can not be patched without major breakage. So what does a diligent org do? they make a risk-assessment to explain things away for legal & compliance purposes.
check your SCA/SBOM in any/most stacks if you think this is untrue ...
MS's hosted version of SharePoint. It's apparently unimpacted by this current round of attacks. DOD (since it's been brought up by other commenters) makes significant use of this.
People hosting SharePoint instances themselves. Some on-prem, some with rented computers. These are the impacted ones. It's not about "the cloud", it's about hosted SharePoint having weaknesses that were exploited and many organizations apparently leaving their SharePoint instances accessible over the open internet. These hosted instances are also probably old and unpatched which doesn't help things. Some (many?) units within DOD make use of this, but definitely not all.
I mean, there are definitely stupid people everywhere, but I'd hope MS leadership isn't that stupid.
You sink one of your own naval vessels (or it sinks due to an accident and you take advantage of the situation) and blame it on an enemy. That enemy is now the target of your military and your population approves.
A shipbuilder hires someone to poke a hole in 1000 of their ships that are so badly designed and manufactured that it only takes a rubber ducky bouncing off the hull to sink them does not encourage anyone to go back to that shipbuilder.
False flags (particularly of the "let's kill or maim hundreds of our own people and other innocent people" variety) push into evil territory. They aren't dumb on their own, they're calculated risks predicated on the willingness of the masses to fall in line after a catastrophe.
Deliberately hurting your own customers by using weaknesses in your own systems in order to motivate them to go buy your other products or services is dumb.
As a corporate drone that has accidentally opened various Microsoft office suite links inside of Teams. My dislike for anything Microsoft continues to grow.
Am I surprised that sharepoint has vulnerabilities? Hell no.
Or probably they don't.
It feels like Microsoft has a (bad) deal with every 3rd rate IT leader where the IT leader eschews Microsoft's BS in exchange for being "unfireable" because "who else knows how all the Microsoft stuff works?"
Probably not since there are so many of these breaches people just ignore them.
I miss the old days when a breach involved someone breaking into the computer room and grabbing as many mag tapes as they can carry and run :)
We didn’t knew it better, back then. We knew it better, now. But migrating is work. So we prefer to suffer! And harm others! This Linux and BSD people are so annoying with their desire for compatibility. They shall suffer, too! And when we buy everything from a Monopoly, we don’t need to think.
Nobody Ever Got Fired for Buying IBM.
"If something happens, we used enterprise grade industry standard software. We did our due diligence."
This outlook is basically why we can't innovate anymore.
I had to recently sit through a meeting where our CTO quoted all the "blogs" he's been reading as a way to slap down my suggestion for an in-house project.
It's all about CYA.
It's why school boards don't do anything useful, among many many other things in our society. It's an endemic disease.
Most of the time it's extremely exaggerated, but it's trotted out and used as a CYA excuse almost immediately by most in the executive/managerial class. Both due to outright laziness and incompetence, and also as just a... why take any personal risk whatsoever making actual decisions with any impact if I can keep my cushy job and career rolling by being as milquetoast as possible.
Never mind you get the big bucks to make such important and controversial decisions at great personal (career) risk when some inevitably go wrong. Everyone forgot that part. Such roles should be hard, difficult, and risky.
Pay the CYA bill, let the engineers build/choose something that actually works. Win-win.
FOSS isn't magically immune to vulnerabilities.
It doesn't help that the FOSS community generally prefers the C programming language over more modern and safer alternatives as a cultural thing. The result is just as many vulnerabilities, if not more, per line of code or per feature. Keep in mind that SharePoint is an enormous product with a 3.6 GB ISO image used to install it. If you think anyone is able to develop that volume of server code and have zero vulnerabilities... I have a bridge to sell you.
Valid point about the image size. A possible sign for bloat? Bloat is danger.
Second:
C, C++ or Rust are our tools. Everyone prefers another for technical and personal reasons. A religious believe in salvation by the next programming language is not helpful and causing harm. I hope sanitizers for C/C++ improve further - which improved safety a lot. For C++28 or C++3x we can hope for further safety improvements. Which we need.
Most bugs are logic errors. SharePoint is - according to my knowledge - implemented in C#. The CVEs mention deserialization of untrusted data, improper limitation of a pathname to a restricted directory ('path traversal'), improper control of generation of code ('code injection') and so on.
I'm rather careful about people requiring another language and claiming it will fix everything. Reliability needs hard work (design, code, review, testing...more review) even with well selected tools. I guess Microsoft does that. And I guess Microsoft works like the rest of the industry, focus on time-to-market and building a monopoly in every area. That's why we see rapid updates in a lot areas and - worse - enforced updates. And why software is known for it's low quality in comparsion to other industries?
Examples:
GNOME opted to use JavaScript in the hype back in 2010:
* JavaScript reduced compatibility compared to C/C++.
* They suffered a lot from memory-leaks. Due to JavaScript.
* The run-time modification seems not to be a big benefit.
* Extra dependencies for JavaScript. More memory usage.
Java also suffered. This rewrite of C++ to Java with JRE is a example, why rewrites for the sake of rewrites aren't a solution:
https://neilmadden.blog/2022/04/19/psychic-signatures-in-jav...
There is no magic. Only thorough work.
We will always suffer from security issues and we shall be always careful.
An observation I've made about Rust is that because it eschews OOP, it tends not to "scale" to large development teams for single applications. It's great for CLI tools, small web apps, etc... but after some scale it runs out of steam.
This is exacerbated by its glacial compile times compared to other languages, even C++, let alone C#.
I just can't imagine something the size of SharePoint being developed entirely in Rust!
Chromium is similar. It's practically an operating system now, it even has USB drivers! I had to compile Chromium from scratch once, for which I spun up a 120-core cloud VM with 456 GB of memory so that it wouldn't take all day.
With Rust... that would take all week even on that box.
I contributed to a Tcl/Tk library that I was using at work that had a specific issue with some image files, so I fixed it internally, and contributed the fix back to the FOSS project (with permission from work).
But SharePoint is the linchpin for Microsoft 365. Well technically SharePoint and Exchange. You can’t use any Microsoft 365 products without SharePoint.
OneDrive uses SharePoint. Outlook Groups and Teams Channels create Microsoft 365 Groups. Every Microsoft 365 Group creates a SharePoint site. Microsoft Loop uses Microsoft SharePoint Embedded.
SharePoint is now a “file and document management system suitable for use in any application”.
So, if you want an alternative to SharePoint you would need an alternative to any M365 Product, including Outlook and OneDrive.
Fun Fact: Teams messages are actually stored via Exchange Mailboxes.
https://learn.microsoft.com/en-us/sharepoint/dev/embedded/ov...
It's just conflating needs. Document editing and file storage are two different tasks. It's weird that people want everything integrated. It's not much effort to just drag and drop a file into G-Drive, OneDrive, Dropbox, box.com...
Not really, that's managers' speak. All things SharePoint is just a data swamp.
See, there’s the problem. Once you touch anything M365, you’re using SharePoint.
People see SharePoint as a document collaboration tool. But, in reality, it’s real use is as a data storage platform.
Not if you want to enable multiple users to be live editing the document at the same time.
Google Docs, on the other hand, works great when you're working together on a document. Too bad they don't have a native client.
We’re on Microsoft 365 and technically fall into the camp of “uses SharePoint”, but only for “shared network folder” usage which OneDrive seamlessly synchronizes should you dislike the web interface. We don’t actively use any other features of it.
Also worth mentioning that realtime collaboration and automatic versioning of Office documents is seamless for files on SharePoint, even if opened on a desktop on a OneDrive synchronized folder.
Files shared over Teams as well as meeting recordings are also stored on SharePoint.
My point is that SharePoint is used a lot but possibly not in the way one might have assumed.
I don’t know if self hosted SharePoint can do all this.
In 50 % of the time.
Genuinely asking - is there a Microsoft alternative to eBPF, k8s, nginx?
The answer is NO. Alternative to SharePoint is SharePoint. I would argue such project just not needed in general and therefor there is no 'alternative'.
What trapped a lot of orgs is making use of the whole PowerPlatform around sharepoint. There's a lot of crusty old LoB apps built with MS's no code tools (PowerAutomate, PowerApps) which run on SharePoint as the delivery platform. Some of these even hook into Excel files stored in the various document libraries, etc. There are entire, large business processes being handled by this platform, and so migrating will require actual dev time, which automatically makes it a non-starter for most, unfortunately. Doubly so when you consider that a lot of these "solutions" were built by non-devs, long since gone from the company and no one knows how deep the tentacles go.
Of course it's quite a poor replacement but it does exists.
The reason orgs use Sharepoint is they are forced to if they use Microsoft. One drive is sharepoint, teams is sharepoint, sharepoint sites is sharepoint, etc...
I'm sure all those things have better alternatives, but Microsoft shoves them down your throat when you license with them.
You’ve got it backwards. Everything M365 is an amalgamation of Entra, SharePoint, and Exchange.
I'm not saying that wouldn't be better, but it makes sense why an org would be reluctant. Again, not a fan of Sharepoint myself, but from an org's viewpoint, moving to Linux raises more problems than it solves.
To some extent I think Microsoft is largely in the business of building solutions for problems that don't exist.
Most orgs are probably perfectly fine with a document management system + desktop word application and then a commercial NAS for bulk storage / backups.
I don't understand how often this design has to blow up in people's faces until they stop doing this and use something dumb and safe instead.
Countries are run by politicians. The ability of a politician to remember something is inverse proportional to the sum of money landed in its account.
Granted there are countries that act like a Criminal Org., but if you live there you have more issues than your data.
With proprietary software, it is a much larger chance that backdoors exist than in Open Source. Many of us heard of 1 issue where it was claimed a project had a Gov sponsored BH in it. They did a long audit and found that was false.
Eventually Open Source backdoors will found in Open Systems. Proprietary you are SOL unless you do very expensive and very hard testing. Even then it is doubtful you will find a backdoor.
Plenty of closed source products will happily backdoor their products on request, without a warrant, if they are confident they will never be found out. That's the point. Not that FOSS source is somehow inviolable to nation-states with virtually infinite resources, many of which sponsor or contribute to the finance of a huge percentage of the development of FOSS themselves.
It's easier to find backdoors in FOSS if you're looking, because you're allowed to look. But somebody has to be looking.
Related:
ToolShell Mass Exploitation (CVE-2025-53770) - https://research.eye.security/sharepoint-under-siege/ | https://news.ycombinator.com/item?id=44629133
If you wouldn't mind reviewing https://news.ycombinator.com/newsguidelines.html and taking the intended spirit of the site more to heart, we'd be grateful.
It was misconfigured software running inside the kernel.
The issue was this misconfiguration was "urgently pushed" from Crowdstrike and depending on who you believe it overrode customer testing policies.
That said, that was the EU's fault, as the EU in 2009 forced Microsoft to fully expose their OS internals to outside vendors during an anti-trust settlement, and with little ability to enforce vendor standards:
""Microsoft shall make available to interested undertakings Interoperability Information that enables non-Microsoft server Software Products to interoperate with Windows Server Operating System on an equal footing with other Microsoft Server Software Products.
"Microsoft shall ensure on an ongoing basis and in a Timely Manner that the APIs in the Windows Client PC Operating System and the Windows Server Operating System that are called on by Microsoft Security Software Products are documented and available for use by third-party security software products that run on the Windows Client PC Operating System and/or the Windows Server Operating System.
These APIs will be documented on the Microsoft Developer Network, unless open publication would create security risks. In such circumstances, Microsoft will provide third-party security vendors with access to such APIs pursuant to a royalty-free license and on fair, reasonable and non-discriminatory terms." [0]
This meant that by offering Microsoft Defender for Endpoint, Microsoft needs to give similar access to the underlying kernel to competing vendors like CRWD and S1.
[0] - https://news.microsoft.com/download/archived/presskits/eu-ms...
It's the exact same thing as with Google Maps in Google Search. The EU did NOT say "Remove Google Maps" it said "Give competitors equal opportunity". The most user-hostile choice was removing the Google Maps integration entirely (because "no access" is still "equal access"), instead of offering users the choice.
Personally, the digital policies are one of the few things the EU generally gets right, and (as unrealistic as it is) I hope all the Googles and Apples go choke on it and di...solve.
This also wasn't Microsofts fault. It was bad kernel code, and don't say you would like microsoft to audit everyone else's code before it can be deployed somewhere.
Any vendor's legal team worth their mettle could then argue that any additional validation on vendors is unfair given that MS would always have significant internal knowledge about how the Windows Kernel operated.
It's yet another example of the EU getting in the way of itself.
IIS which SharePoint runs atop of is written in presumably primarily C.
You can decompile most of SharePoint if you ever need to peek at the code. That's a huge advantage to figure out how it works.
https://www.muellershewrote.com/p/the-epstein-cover-up-at-th...
https://www.muellershewrote.com/p/the-epstein-cover-up-at-th... | https://archive.is/RZqU0
> The process of reviewing the Epstein and Maxwell files was chaotic, and the orders were constantly changing - sometimes daily. One person I spoke to on the condition of anonymity said that many agents spent more time waiting for new instructions than they did processing files. But here’s what caught my attention: the files were stored on a shared drive that anyone in the division could access. Normally, access is only granted to those working on a project, but because of the hurried nature of the exercise, the usual permission restrictions were not in place. Additionally, the internal SharePoint site the bureau ended up using to distribute the files toward the end did not have the usual restricted permissions. This left the Epstein and Maxwell files open to viewing by a much larger group of people than previously thought.
Microsoft was pushing companies to use its Azure cloud services. Now everything is in the cloud. And accessible to WWW.
Example: if Kroger or whatever your supermarket of choice distributed meat that was infected they would get sued to bits. Microsoft distributes thousands of malicious NPM dependencies and underfund the NPM security team - if there is such a thing - resulting in an entire industry of supplychain security companies to exist. No other registry has the issue of malicious packages as badly as NPM since Microsoft acquired Github.
Microsoft just does not know how to handle security, which is why so many security companies exist to fill their gaps. I don’t trust their security practices one bit tbh.