• Microsoft removes China-based engineers from U.S. defense cloud support following cyberattacks.
  • Chinese state-linked groups exploit SharePoint vulnerabilities targeting U.S. government and defense sectors.
  • Pentagon reviews foreign contractor use, signaling broader industry scrutiny.

Microsoft's security pivot

Microsoft is immediately ending its use of China-based engineers to manage and patch Defense Department cloud services, a move announced July 19, 2025, after U.S. government scrutiny of recent cyberattacks. The decision follows revelations that Chinese state-linked threat groups—including Linen Typhoon (APT27) and Violet Typhoon (APT31)—have been actively exploiting SharePoint vulnerabilities (CVE-2025-49706 and CVE-2025-49704) since early July. These attacks focused on intelligence gathering from U.S. government agencies, defense contractors, and NGOs.

"This isn't just about patching systems—it's about patching trust," said a cybersecurity consultant familiar with Pentagon cloud contracts, who requested anonymity due to ongoing investigations. Microsoft declined to comment on how many engineers were affected but confirmed the transition was underway.

Geopolitical ripple effects

The operational shift comes as the Pentagon conducts a rapid review of foreign contractor access to sensitive systems, with warnings that other tech providers supporting defense programs may face similar audits. Market analysts note the incident could accelerate "onshoring" trends for critical technical roles, particularly in government-facing cloud services. Shares of Microsoft dipped slightly in after-hours trading following the announcement, though the company's broader financial outlook remains strong on the back of Azure growth.

Meanwhile, cybersecurity teams across Washington are scrambling to assess exposure. One defense IT director, speaking on background, described "round-the-clock" efforts to verify systems: "When SharePoint's involved, the blast radius is enormous."

Correction: An earlier version misstated the number of vulnerability identifiers; there are two CVEs involved in the attacks.