Recently Malwarebytes reported that the SolarWinds hackers accessed its internal emails using the same intrusion vector they used in other attacks. The vector appears to abuse applications with privileged access to Microsoft Office 365 and Azure environments. The representative stated that “the investigation indicated the attackers leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails.” The attack sequence suggests that the attacker tricked an end user into authorizing a third-party site to share authentication via OAuth.
