Microsoft has confirmed active exploitation of a spoofing zero-day in SharePoint Server (CVE-2026-32201, CVSS 6.5), patched in its April 2026 Patch Tuesday release on 15 April. The flaw lets an unauthenticated attacker trigger a cross-site scripting bug through improper input validation, then spoof trusted SharePoint content to steal sensitive data or manipulate what users see. No credentials, no user interaction, just a network path to your SharePoint instance. Security Affairs reports attacks were observed prior to the patch release.

If your organisation runs SharePoint Server 2016, 2019, or Subscription Edition — especially anything externally published or accessible via VPN — you are in the firing line. Spoofed SharePoint content is a near-perfect phishing lure because staff already trust the domain, which makes credential theft and lateral movement the obvious next step. Under the Privacy Act’s Notifiable Data Breaches scheme, any resulting unauthorised access to personal information is your problem to report.

Three things to do today. First, confirm the April 15 SharePoint cumulative updates are installed (KB5002861 for 2016, KB5002854 for 2019, KB5002853 for Subscription Edition). Second, review your SharePoint exposure — does it really need to be internet-facing, or can it sit behind Entra ID conditional access? Third, check SharePoint audit logs for unusual page requests or content modifications over the past fortnight. If you are not sure whether your environment is covered, ask your IT provider to confirm in writing.

If you would like us to validate your Microsoft 365 and SharePoint configuration against this advisory, our cybersecurity team can run a quick exposure check and confirm your patch status.