{
	"id": "dc319f58-87d2-447b-ad8f-b018f480cb15",
	"created_at": "2026-04-06T00:06:19.689798Z",
	"updated_at": "2026-04-10T03:20:17.186043Z",
	"deleted_at": null,
	"sha1_hash": "a77fd9a1e5745e7c5c81ef5074247049b3d41d9f",
	"title": "Microsoft Internal Solorigate Investigation Update",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 35649,
	"plain_text": "Microsoft Internal Solorigate Investigation Update\r\nBy simon-pope\r\nPublished: 2020-12-31 · Archived: 2026-04-05 15:32:16 UTC\r\nAs we said in our recent blog, we believe the Solorigate incident is an opportunity to work together in important\r\nways, to share information, strengthen defenses and respond to attacks. Like other SolarWinds customers, we have\r\nbeen actively looking for indicators of the Solorigate actor and want to share an update from our ongoing internal\r\ninvestigation.\r\nOur investigation into our own environment has found no evidence of access to production services or\r\ncustomer data. The investigation, which is ongoing, has also found no indications that our systems were\r\nused to attack others.\r\nAs we previously reported, we detected malicious SolarWinds applications in our environment, which we isolated\r\nand removed. Having investigated further, we can now report that we have not found evidence of the common\r\nTTPs (tools, techniques and procedures) related to the abuse of forged SAML tokens against our corporate\r\ndomains.\r\nOur investigation has, however, revealed attempted activities beyond just the presence of malicious SolarWinds\r\ncode in our environment. This activity has not put at risk the security of our services or any customer data, but we\r\nwant to be transparent and share what we’re learning as we combat what we believe is a very sophisticated nation-state actor.\r\nWe detected unusual activity with a small number of internal accounts and upon review, we discovered one\r\naccount had been used to view source code in a number of source code repositories. The account did not have\r\npermissions to modify any code or engineering systems and our investigation further confirmed no changes were\r\nmade. These accounts were investigated and remediated.\r\nAt Microsoft, we have an inner source approach - the use of open source software development best practices and\r\nan open source-like culture - to making source code viewable within Microsoft. This means we do not rely on the\r\nsecrecy of source code for the security of products, and our threat models assume that attackers have knowledge\r\nof source code. So viewing source code isn’t tied to elevation of risk.\r\nAs with many companies, we plan our security with an “assume breach” philosophy and layer in defense-in-depth\r\nprotections and controls to stop attackers sooner when they do gain access. We have found evidence of attempted\r\nactivities which were thwarted by our protections, so we want to re-iterate the value of industry best practices such\r\nas outlined here, and implementing Privileged Access Workstations (PAW) as part of a strategy to protect\r\nprivileged accounts. We will provide additional updates if and when we discover new information to help inform\r\nand enable the community. As we learn more from our own internal investigation, and from helping customers, we\r\nwill continue to improve our security products and share these learnings with the community. For the up-to-date\r\ninformation and guidance, please visit our resource center at https://aka.ms/solorigate.\r\nhttps://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/\r\nPage 1 of 2\n\nInvestigation\r\nSolarWinds\r\nSolorigate\r\nSource: https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/\r\nhttps://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://msrc-blog.microsoft.com/2020/12/31/microsoft-internal-solorigate-investigation-update/"
	],
	"report_names": [
		"microsoft-internal-solorigate-investigation-update"
	],
	"threat_actors": [],
	"ts_created_at": 1775433979,
	"ts_updated_at": 1775791217,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a77fd9a1e5745e7c5c81ef5074247049b3d41d9f.pdf",
		"text": "https://archive.orkl.eu/a77fd9a1e5745e7c5c81ef5074247049b3d41d9f.txt",
		"img": "https://archive.orkl.eu/a77fd9a1e5745e7c5c81ef5074247049b3d41d9f.jpg"
	}
}