Update December 31, 2020: The Microsoft Security Response Center team has published an update on our internal Solorigate investigation and additional guidance.

Update December 28, 2020: The Microsoft 365 Defender team has published a comprehensive guide for security operations and incident response teams using Microsoft 365 Defender to identify, investigate, and respond to the Solorigate attack if it’s found in your environment.

Microsoft is aware of a sophisticated supply chain attack that has targeted a variety of victims over the past year. The attack utilizes malicious SolarWinds files that possibly gave cybercriminals access to some victims’ networks. Microsoft cybersecurity experts are investigating the attack to help ensure that Microsoft customers are as secure as possible. 

On December 17, 2020, Microsoft President Brad Smith posted a blog sharing the most up to date information and detailed technical information for defenders.  

• Read the blog post by Brad Smith  

As this is an ongoing investigation, Microsoft cybersecurity teams continue to act as first responders to these attacks. We know that customers and partners will have ongoing questions and Microsoft is committed to providing timely updates as new information becomes available. We will make updates through our Microsoft Security Response Center (MSRC) blog. 

• Read the blog post by the Microsoft Security Response Center (MSRC) 

Partners should secure their environments and follow up with their customers to assist them with securing their environments. Below, we’ve provided the latest links and information you can use when communicating with customers. 

Resources  

• Important steps for customers to protect themselves from recent nation-state cyberattacks – this blog post outlines the dynamic threat landscape and our principles approaching the investigation.  
• Customer guidance on recent nation-state cyberattacks by the Microsoft Security Response Center – this blog post will be updated with new information as the investigation continues.  
• SolarWinds post-compromise hunting with Azure Sentinel – this Tech Community post provides the latest hunting and detection queries for Azure Sentinel. 
• Ensuring customers are protected from Solorigate – this blog post by the Microsoft 365 Defender Threat Intelligence Team provides information about updates to Microsoft Defender Antivirus.
• Analyzing Solorigate and how Microsoft Defender helps protect customers – this blog post by the Microsoft 365 Defender Research Team and Microsoft Threat Intelligence Center provides in-depth analysis and details about the Microsoft Defender for Endpoint and Microsoft 365 Defender protections.  
• Microsoft 365 Defender and Microsoft Defender for Endpoint customers should review the Threat Analytics article within the Defender console (sign in is required) for information about detection and potential impact to their environments. 
• Protecting Microsoft 365 from on-premises attacks – this Tech Community post provides guidance for Identity professionals and Microsoft 365 admins.
• For any Microsoft Threat Experts (MTE) customers where we have observed suspicious activity in customers’ environments, we have completed Targeted Account Notifications.  
• Microsoft Defender antivirus and Microsoft Defender for Endpoint have released protections for the malicious SolarWinds software and other artifacts from the attack.  

Advisories  

• If your customer has a specific question regarding FireEye, refer them to the FireEye Advisory.  
• If your customer has a specific question regarding SolarWinds, refer them to the SolarWinds Advisory.  
• The Cybersecurity and Infrastructure Security Agency (CISA) has published a set of information and guidance here: https://us-cert.cisa.gov/ncas/alerts/aa20-352a. For individual country-specific guidance, customers and partners should refer to information from the appropriate law enforcement or other government entity in that jurisdiction.