Cybersecurity After the Microsoft Hacks: How Companies and Individuals Can Protect Themselves Effectively

In spring 2025, several serious security breaches at Microsoft shook the digital world. The SharePoint and OneDrive services, which are used by millions of companies and government agencies worldwide, were particularly affected. The consequences of these attacks range from stolen data to long-term compromises of entire IT infrastructures. But what does this mean for individuals and companies—and how can you protect yourself?

An Overview of the Incidents

In July 2025, a critical zero-day vulnerability (CVE-2025-53770) was discovered in Microsoft SharePoint Server. This vulnerability was exploited by several state-sponsored hacker groups, including groups that Microsoft refers to by the code names Storm-2603 and Linen Typhoon. Particularly worrying is the fact that sensitive institutions such as the US National Nuclear Security Administration are also said to have been affected. According to security analyses, a total of over 400 organizations worldwide were compromised.

Just a few weeks earlier, another vulnerability in Microsoft’s OneDrive File Picker had been discovered. Due to a faulty OAuth implementation, third-party services such as Slack, ChatGPT, and Trello were able to gain access to users’ entire OneDrive archives, even though only the upload of individual files appeared to be permitted. This case once again demonstrated how quickly seemingly harmless interfaces can become gateways for attacks.

These attacks make it clear that traditional security measures are no longer sufficient—companies and individuals need to rethink their security strategies.

How Can You Protect Yourself? Prevention Is Key

For Businesses

The most important measure is to update affected systems immediately. Following the incidents, Microsoft has released security updates for all vulnerable SharePoint versions. Organizations that do not install these updates immediately continue to risk attacks from the network – in some cases also through automated exploits.

In addition, companies should configure their systems according to the principle of least privilege. This means that users are only granted the access rights that they actually need. All accounts should also be secured with multi-factor authentication (MFA).

The use of third-party apps also requires clear guidelines. The OneDrive vulnerability clearly showed how dangerous uncontrolled OAuth access can be. Companies should therefore regularly review all integrations, only allow verified applications, and quickly revoke suspicious authorizations.

Last but not least, transparency regarding system activities plays a key role. Modern security infrastructures such as Security Information and Event Management (SIEM) or Microsoft Defender enable suspicious logins, token renewals, or API accesses to be detected at an early stage.

Another important component of the preventive security strategy is the use of solution-oriented encryption and role management – this is exactly where Cryptomator Hub comes in. The software enables companies to centrally manage encrypted cloud storage (vaults) and assign fine-grained access rights via roles. All data remains encrypted on the client side, so that even if a cloud provider is compromised, no unprotected information is disclosed. Features such as role-based assignment of “Create Vault” or “Read/Write” rights allow internal security policies to be effectively mapped and controlled. Especially in the case of remote work, third-party access, or decentralized teams, Cryptomator Hub offers a robust shield against unauthorized access – regardless of the trustworthiness of the cloud backend.

For Individuals

The same applies to private users: security starts with your own habits. If you regularly grant apps access to your cloud services, you should regularly check the permissions you have granted in the settings and disconnect any unnecessary connections.

A long, unique password in combination with MFA is now mandatory. Many attacks begin with so-called “credential stuffing” attacks, in which stolen access data from old leaks is tested automatically.

In addition, it is advisable to back up important data not only in the cloud, but also locally or in an end-to-end encrypted environment (such as Cryptomator). This ensures that personal documents remain protected even if the cloud provider is compromised.

What to Do in an Emergency?

Despite all precautions, unauthorized access to sensitive systems may be detected and confidential information may have been stolen. In such cases, every minute counts.

First, the affected system should be disconnected from the network immediately to prevent further spread. At the same time, passwords and OAuth tokens must be reset—not only for the affected accounts, but also for connected services and admin accounts if in doubt.

The next step is to analyze all available log data to understand the scope of the attack. When did the access begin? What data may have been stolen? Which systems were affected?

Companies should also activate an internal incident response team or call in external specialists to coordinate the recovery process. Communication is also important: customers, partners, and, if necessary, authorities such as the BSI must be informed depending on the scope of the incident.

Long-Term Security Strategy: From Reacting to Preventing

In the long term, it is not enough to simply respond to attacks—a proactive security culture must be established. This includes:

  • Regular penetration tests to detect vulnerabilities before attacks occur
  • Security training for employees to recognize social engineering and phishing
  • Backups that are regularly tested and secured offline
  • Transparent processes for app access and rights assignment
  • And last but not least: emergency planning that defines clear procedures in the event of a cyberattack

The attacks on Microsoft show once again that no system is too big or too established to become a victim. The only way to achieve greater security is to identify risks early on, implement technical protective measures, and strengthen digital resilience throughout the organization.

Behavioral Safety: People as a Safety Factor

Technical protective measures are important—but they are only as strong as the security awareness of the people who use them. Attackers deliberately target the “human factor,” for example through phishing, social engineering, or CEO fraud. That’s why a modern security concept must not only inform employees, but also actively involve them.

Recommended measures:

  • Interactive training courses and awareness campaigns (e.g., on phishing or password security)
  • Regular simulated attacks to test security behavior
  • Clearly communicated guidelines for handling data, devices, and software (e.g., BYOD)
  • Integration of security topics into everyday work through short reminders or e-learning courses

An informed team recognizes threats more quickly, responds more confidently, and actively supports hazard prevention.

Data Protection and Compliance (GDPR & NIS2)

Security is not only a technical goal, but also a legal obligation. Companies in Europe, for example, are subject to the General Data Protection Regulation (GDPR) and, increasingly, the NIS2 Directive, which defines specific IT security requirements. However, other parts of the world now also have strict legal regulations in place to protect personal and business-critical data.

What companies should consider:

  • Document and regularly update technical and organizational measures (TOM)
  • Perform data protection impact assessments for high-risk processes
  • Report data breaches to the relevant supervisory authority within 72 hours
  • Only use cloud services that comply with data protection regulations—e.g., through client-side encryption with Cryptomator Hub

Additional international regulations:

  • USA: The California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) regulate the protection of personal data at the state level. In addition, security requirements are becoming increasingly important due to the Cybersecurity Framework of the NIST (National Institute of Standards and Technology).
  • Canada: The Personal Information Protection and Electronic Documents Act (PIPEDA) requires companies to implement comprehensive data protection measures.
  • Brazil: The Lei Geral de Proteção de Dados (LGPD) is a law that is largely similar to the GDPR.
  • Asia: Countries such as Japan (APPI), South Korea (PIPA), and Singapore (PDPA) also have modern data protection laws with explicit security requirements.

Proper compliance management not only protects against fines, but also builds trust among customers, partners, and the public.

Identifying and Curbing Shadow It

Shadow IT—applications or services that employees use without the consent or knowledge of the IT department—poses a growing risk. These tools are not subject to any central control, which means they can become gateways for attacks.

Strategies against shadow IT:

  • Establishment of a clear approval process for software use
  • Use of Cloud Access Security Broker (CASB) to make shadow applications visible
  • Awareness campaigns explaining why unauthorized tools pose a risk
  • Development of a self-service portal with verified, secure tools to minimize circumvention

By creating transparency and offering alternatives, companies can effectively reduce the use of unsafe services.

Security Metrics and Reporting

Concrete security metrics (KPIs) are needed to highlight progress in the area of IT security and clarify responsibilities. Only by measuring can weaknesses be identified, compared, and improved.

Here are some examples of relevant KPIs:

  • MFA coverage among employees
  • Number of blocked phishing attempts per month
  • Time from discovery to remediation of a vulnerability
  • Percentage of patched systems relative to the total number of systems
  • Mean time to respond (MTTR) to security incidents

These key figures not only help internal teams, but also provide management and external partners with comprehensible evidence of security.

Communication in Emergencies

How a company communicates in the event of an attack can be crucial to its long-term reputation. Transparent, factual, and coordinated communication demonstrates that responsibility is being taken.

Recommended measures:

  • Creation of a crisis communication plan with clear responsibilities
  • Preparation of templates for customer and partner information
  • Definition of press spokespersons and communication approvals
  • Communication in accordance with legal reporting requirements and data protection regulations

Those who are prepared can respond professionally, credibly, and in a manner that inspires confidence, even in an emergency.

Conclusion

The latest security breaches at Microsoft highlight that digital attacks are not a hypothetical danger, but a real threat—for businesses and private users alike. Those who act now can not only avert damage, but also secure the long-term trust of customers, partners, and employees.

Security is not a state, but a process. Every investment in IT security is an investment in future viability.

Secure your data with Cryptomator?

Cryptomator secures your personal files in the cloud and can be used without an account. Cryptomator Hub manages team access and is ideal for teams and organizations.

Protect Yourself Against Future Attacks Now