A rapidly expanding cyber-espionage campaign targeting outdated versions of Microsoft SharePoint has compromised approximately 400 organizations, according to Dutch cybersecurity firm Eye Security.

The updated figure marks a fourfold increase from the 100 victims initially reported over the weekend and underscores the scale of the ongoing breach, which experts believe is being exploited by state-backed hackers, including groups linked to China.

Eye Security said the estimate is likely conservative, as it is based on traces left behind on vulnerable servers. “There are many more, because not all attack vectors have left artifacts that we could scan for,” said Vaisha Bernard, the firm’s chief hacker.

While the identities of most victim organizations remain undisclosed, the U.S. National Institutes of Health confirmed Wednesday that one of its servers had been compromised. “Additional servers were isolated as a precaution,” a spokesperson said, confirming a Washington Post report.

The cyber campaign emerged after Microsoft failed to fully patch a critical vulnerability in its SharePoint server software. Since then, companies and government agencies have rushed to secure their systems amid mounting concern.

Both Microsoft and Google’s parent company Alphabet have said that Chinese-backed hackers are actively exploiting the flaw. The Chinese government has denied any involvement.

The breach highlights the growing threat posed by zero-day vulnerabilities in widely used enterprise software and the urgency for organizations to apply security updates promptly. Analysts warn that further disclosures are likely in the coming days as more victims assess the impact.