{"id":39228,"date":"2021-01-20T14:44:05","date_gmt":"2021-01-20T14:44:05","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\/"},"modified":"2021-01-20T14:44:05","modified_gmt":"2021-01-20T14:44:05","slug":"malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\/","title":{"rendered":"Malwarebytes says its Office 365, Azure tenancies invaded by SolarWinds hackers, insists its tools are still safe to use"},"content":{"rendered":"<p>Security company Malwarebytes suspects a breach of its Office 365 and Azure tenancies is by the same attacker behind the SolarWinds hack, but reckons flaws in Azure Active Directory security are also to blame.<\/p>\n<p>Malwarebytes, whose products include widely used anti-malware tools for consumers and businesses, said that it does not use SolarWinds but <a target=\"_blank\" href=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2021\/01\/malwarebytes-targeted-by-nation-state-actor-implicated-in-solarwinds-breach-evidence-suggests-abuse-of-privileged-access-to-microsoft-office-365-and-azure-environments\/\" rel=\"noopener noreferrer\">believes<\/a> that the same attacker used &#8220;another intrusion vector that works by abusing applications with privileged access to Microsoft Office 365 and Azure environments&#8221;.<\/p>\n<div class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",button,mpu,\" data-sm=\",button,mpu,\" data-md=\",button,banner_plus,mpu\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x250&amp;tile=2&amp;c=2YAl42R80Z4knWwKICSjCJAAAAMM&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x250&amp;tile=2&amp;c=2YAl42R80Z4knWwKICSjCJAAAAMM&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>The attack was spotted because of suspicious activity reported by Microsoft&#8217;s Security Response Center.<\/p>\n<p>The intruder &#8220;only gained access to a limited subset of internal company emails&#8221; said Malwarebytes, and there was no evidence of unauthorised access to internal or on-premises and production environments. Malwarebytes also checked its source code and build processes including &#8220;reverse engineering our own software&#8221; but could not find any evidence of compromise, concluding that &#8220;our software remains safe to use.&#8221;<\/p>\n<div class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",button,mpu_plusplus,\" data-sm=\",button,mpu_plusplus,\" data-md=\",button,mpu_plusplus,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x250%7C300x252%7C300x600&amp;tile=3&amp;c=33YAl42R80Z4knWwKICSjCJAAAAMM&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x250%7C300x252%7C300x600&amp;tile=3&amp;c=33YAl42R80Z4knWwKICSjCJAAAAMM&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<blockquote class=\"pullquote\" readability=\"6\">\n<p>I don&#8217;t really see why credentials can be assigned to default service principals this way and what a possible legitimate purpose would be of this<\/p>\n<\/blockquote>\n<p>How was Malwarebytes breached? There is some but not complete information on this subject in the company&#8217;s report. On Microsoft&#8217;s cloud, there are directory objects called service principals which can have privileges assigned to them. <a target=\"_blank\" href=\"https:\/\/docs.microsoft.com\/en-us\/azure\/active-directory\/develop\/app-objects-and-service-principals\" rel=\"noopener noreferrer\">Service principals<\/a> are specific to an Azure AD tenancy and represent an application in that tenancy. When admins give permission to an application, they actually give permissions to its service principal.<\/p>\n<p>Users are not the same as applications, but there are techniques by which a user can log in as an application. To do this, admins can assign a password or a certificate to a service principal, and then log in as that service principal, thereby gaining the same privileges as the application.<\/p>\n<p>Security researcher Dirk-jan Mollema <a target=\"_blank\" href=\"https:\/\/dirkjanm.io\/azure-ad-privilege-escalation-application-admin\/\" rel=\"noopener noreferrer\">considers this<\/a> to be a vulnerability since it allows application administrators to escalate their privileges.<\/p>\n<p>&#8220;I don&#8217;t really see why credentials can be assigned to default service principals this way and what a possible legitimate purpose would be of this,&#8221; he said. &#8220;In my opinion, it shouldn&#8217;t be possible to assign credentials to first-party Microsoft applications. The Azure portal doesn&#8217;t offer this option and does not display these &#8216;backdoor&#8217; service principals credentials, but the APIs such as the Microsoft Graph and Azure AD Graph have no such limitations.&#8221; He reported the issue to Microsoft but was told that it was documented behaviour and therefore not a vulnerability.<\/p>\n<p>Malwarebytes said this was the mechanism for its own breach. &#8220;In our particular instance, the threat actor added a self-signed certificate with credentials to the service principal account. From there, they can authenticate using the key and make API calls to request emails via MSGraph,&#8221; the company said.<\/p>\n<p>It is still necessary to have privileges in order to escalate them so what was the initial attack against MalwareBytes? This detail is not revealed. The nearest thing is a reference to this <a target=\"_blank\" href=\"https:\/\/us-cert.cisa.gov\/ncas\/alerts\/aa21-008a\" rel=\"noopener noreferrer\">US government advisory<\/a> which states that password guessing or unsecured service credentials might (in the general case) be used to compromise an Azure AD environment. Since MalwareBytes says that its internal network was not breached, logic dictates that some external method like this was used.<\/p>\n<p>MalwareBytes&#8217; report shines the spotlight on Azure AD security. In this context, the recent <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2021\/01\/19\/fireeye_solarwinds_code\/\" rel=\"noopener noreferrer\">FireEye report<\/a> on monitoring Azure AD security is relevant, noting also that the widely used AD Connect tool, which synchronises on-premises Active Directory with Azure AD, means that villains with unauthorised access to on-premises AD can soon extend their access to the cloud environment. In a <a target=\"_blank\" href=\"https:\/\/www.troopers.de\/troopers19\/agenda\/y3nswp\/\" rel=\"noopener noreferrer\">report<\/a> from March 2019, Mollema showed how an AD Connect server can be exploited to gain full privileges on Azure AD.<\/p>\n<p>Symantec has recently <a target=\"_blank\" href=\"https:\/\/symantec-enterprise-blogs.security.com\/blogs\/threat-intelligence\/solarwinds-raindrop-malware\" rel=\"noopener noreferrer\">reported<\/a> on the &#8220;Raindrop&#8221; malware, which it believes is sometimes deployed by a compromised SolarWinds installation. Raindrop allows remote command and control. Symantec noted activity on a victim&#8217;s computer that installed DSInternals, which they say &#8220;is a legitimate tool which can be used for querying Active Directory servers and retrieving data, typically passwords, keys, or password hashes.&#8221;<\/p>\n<p>Securing Azure AD is challenging and MalwareBytes references the <a target=\"_blank\" href=\"https:\/\/www.crowdstrike.com\/blog\/crowdstrike-launches-free-tool-to-identify-and-help-mitigate-risks-in-azure-active-directory\/\" rel=\"noopener noreferrer\">CrowdStrike tool<\/a> as useful for mitigation. Along with the tool, CrowdStrike lists a range of steps admins can take, including reviewing access awarded to third parties such as partners and resellers, limiting objects synchronised with AD Connect, cleaning up unused applications registered with Azure AD, enforcing multi-factor authentication for all users, and reviewing Exchange for suspicious rules such as mailbox forwarding.<\/p>\n<div class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",button,dbutton,mpu_plus,dmpu,\" data-sm=\",button,dbutton,mpu_plus,dmpu,\" data-md=\",button,dbutton,mpu_plus,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x100%7C300x250%7C300x251&amp;tile=4&amp;c=44YAl42R80Z4knWwKICSjCJAAAAMM&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener noreferrer\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x100%7C300x250%7C300x251&amp;tile=4&amp;c=44YAl42R80Z4knWwKICSjCJAAAAMM&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>Microsoft&#8217;s hybrid approach to the cloud increases the number of possible attacks, but without Microsoft&#8217;s security intelligence tools picking up suspicious activity, Malwarebytes might still be unaware of the breach of its systems. \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/go.theregister.com\/feed\/www.theregister.com\/2021\/01\/20\/malwarebytes_solarwinds_hack_latest\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Points finger at privilege escalation via application rights in Azure AD, which Microsoft says is as designed Security company Malwarebytes suspects a breach of its Office 365 and Azure tenancies is by the same attacker behind the SolarWinds hack, but reckons flaws in Azure Active Directory security are also to blame.\u2026  READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-39228","post","type-post","status-publish","format-standard","hentry","category-the-register"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.6 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Malwarebytes says its Office 365, Azure tenancies invaded by SolarWinds hackers, insists its tools are still safe to use 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Malwarebytes says its Office 365, Azure tenancies invaded by SolarWinds hackers, insists its tools are still safe to use 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2021-01-20T14:44:05+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x250&amp;tile=2&amp;c=2YAl42R80Z4knWwKICSjCJAAAAMM&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"Malwarebytes says its Office 365, Azure tenancies invaded by SolarWinds hackers, insists its tools are still safe to use\",\"datePublished\":\"2021-01-20T14:44:05+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\\\/\"},\"wordCount\":805,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x250&amp;tile=2&amp;c=2YAl42R80Z4knWwKICSjCJAAAAMM&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\\\/\",\"name\":\"Malwarebytes says its Office 365, Azure tenancies invaded by SolarWinds hackers, insists its tools are still safe to use 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x250&amp;tile=2&amp;c=2YAl42R80Z4knWwKICSjCJAAAAMM&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2021-01-20T14:44:05+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x250&amp;tile=2&amp;c=2YAl42R80Z4knWwKICSjCJAAAAMM&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x250&amp;tile=2&amp;c=2YAl42R80Z4knWwKICSjCJAAAAMM&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malwarebytes says its Office 365, Azure tenancies invaded by SolarWinds hackers, insists its tools are still safe to use\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Malwarebytes says its Office 365, Azure tenancies invaded by SolarWinds hackers, insists its tools are still safe to use 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\/","og_locale":"en_US","og_type":"article","og_title":"Malwarebytes says its Office 365, Azure tenancies invaded by SolarWinds hackers, insists its tools are still safe to use 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2021-01-20T14:44:05+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x250&amp;tile=2&amp;c=2YAl42R80Z4knWwKICSjCJAAAAMM&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"Malwarebytes says its Office 365, Azure tenancies invaded by SolarWinds hackers, insists its tools are still safe to use","datePublished":"2021-01-20T14:44:05+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\/"},"wordCount":805,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x250&amp;tile=2&amp;c=2YAl42R80Z4knWwKICSjCJAAAAMM&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\/","url":"https:\/\/www.threatshub.org\/blog\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\/","name":"Malwarebytes says its Office 365, Azure tenancies invaded by SolarWinds hackers, insists its tools are still safe to use 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x250&amp;tile=2&amp;c=2YAl42R80Z4knWwKICSjCJAAAAMM&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2021-01-20T14:44:05+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x250&amp;tile=2&amp;c=2YAl42R80Z4knWwKICSjCJAAAAMM&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x250&amp;tile=2&amp;c=2YAl42R80Z4knWwKICSjCJAAAAMM&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/malwarebytes-says-its-office-365-azure-tenancies-invaded-by-solarwinds-hackers-insists-its-tools-are-still-safe-to-use\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"Malwarebytes says its Office 365, Azure tenancies invaded by SolarWinds hackers, insists its tools are still safe to use"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/39228","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=39228"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/39228\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=39228"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=39228"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=39228"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}