Solorigate Resource Center – updated January 15, 2021

Alongside our industry partners and the security community, Microsoft continues to investigate the extent of the recent nation-state attack on SolarWinds. Our goal is to provide the latest threat intelligence, Indicators of Compromise (IOC)s, and guidance across our products and solutions to help the community respond, harden infrastructure, and begin to recover from this unprecedented attack. As new information becomes available, we will make updates to this article at https://aka.ms/solorigate.  

Executive Summary and Background Information 

Microsoft is aware of a sophisticated supply chain attack that has targeted a variety of victims. The attack utilized malicious SolarWinds files that potentially gave nation-state actors access to some victims’ networks. Microsoft cybersecurity experts are investigating the attack to help ensure that customers are as secure as possible.  

Information for Security Operations and Hunters 

We encourage customers to implement new detections and protections to identify possible prior campaigns or prevent future campaigns against their systems. We have published the IOC’s in this post. This list is not exhaustive and may expand as investigations continue.  

We also recommend customers review the IOCs provided by FireEye at Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor

Information for Security Admins  

Further information and guidance for Microsoft security products and solutions 

Overviews of the different Microsoft security products:  

Where can I get help and assistance? 

  • Customers with any product support related needs should file a Microsoft Support case at https://support.microsoft.com/contactus  
  • Get help in the Microsoft 365 security center, Office 365 Security & Compliance center, and Microsoft Defender Security Center by clicking on the “?” Icon in the top navigation bar.  
  • For deployment assistance please contact https://fasttrack.microsoft.com  
  • If you believe you have been compromised and require assistance through an incident response, open a Sev A Microsoft support case.

Other Advisories & Additional Resources 

Revision History

  • 2021-01-15 Added link to the Information for Security Admins section on Microsoft Defender for Identity expands support to AD FS servers and Increasing resilience against Solorigate and other sophisticated attacks with Microsoft Defender
  • 2020-12-31 Added link to Microsoft Internal Solorigate Investigation Update
  • 2020-12-28 Added link to Using Microsoft 365 Defender to protect against Solorigate to Information for Security Operations and Hunters and MCAS docs link in Specific guidance for Microsoft Security products and solutions section
  • 2020-12-22: Added links to an article from Alex Weinert on Azure AD workbook to help you assess Solorigate risk in the Hunting Section
  • 2020-12-21: Published