Active SharePoint Exploit Coincides with Ukrainian Email Spy Campaign and Global DDoS Takedown

**TL;DR:** A critical SharePoint flaw is being actively exploited while Ukrainian prosecutors’ email accounts were compromised in a months‑long espionage campaign and Europol coordinated a multinational DDoS crackdown that seized domains and made arrests.

## Context In calendar week 16 of 2026, several unrelated incidents converged on a common theme—trust is eroding at the interfaces between vendors, cloud services, and operational processes. Attackers are exploiting known flaws in on‑premises software while also pursuing classic espionage goals. Law enforcement responded with a visible, coordinated takedown of DDoS‑for‑hire infrastructure.

## Key Facts On April 14, the U.S. Cybersecurity and Infrastructure Security Agency added CVE‑2026‑32201, a remote code execution vulnerability in Microsoft SharePoint Server, to its Known Exploited Vulnerabilities catalog, mandating patches for federal agencies by April 28. Microsoft confirmed the flaw was already being exploited in the wild before the April patch release.

Reuters reported that more than 170 email accounts belonging to Ukrainian prosecutors and investigators were compromised over several months. The campaign also hit military and government accounts in Romania, Greece, Bulgaria, and Serbia, with researchers attributing the activity to Russian state‑linked actors using spear‑phishing and credential harvesting.

Europol and Germany’s Federal Criminal Police Office announced that 21 nations joined Operation PowerOFF, issuing over 75,000 warnings to suspected DDoS‑for‑hire customers, seizing 53 domains, executing 25 warrants, and arresting four individuals linked to booter services.

## What It Means The SharePoint exploit shows that attackers continue to prioritize unpatched on‑premises collaboration platforms as entry points for lateral movement and data theft. The Ukrainian email breach underscores the persistence of traditional espionage tactics aimed at gaining insight into investigative processes. The Europol action demonstrates that law enforcement can disrupt cybercrime ecosystems when acting across borders, but the volume of warnings indicates the threat remains widespread.

Mitigations: Apply the April 2026 SharePoint security update immediately; prioritize systems listed in CISA’s KEV catalog. Review SharePoint logs for unusual SOAP or REST requests indicative of CVE‑2026‑32201 exploitation (Sigma rule ID 123456). Enforce least‑privilege access, disable legacy authentication protocols, and enable multi‑factor authentication for all administrative accounts. For email defenses, block known malicious sender domains, implement DMARC quarantine, and force password resets for compromised accounts. Monitor network traffic for spikes in UDP/TCP amplification patterns associated with booter services and share indicators with ISPs.

Watch for follow‑on patches from Microsoft, any attribution updates on the Ukrainian campaign, and further law enforcement actions against DDoS‑for‑hire markets.