Cybersecurity software firm Malwarebytes Inc. has been hacked and internal emails stolen.

The hack, revealed today, is being attributed to the nation-state actor implicated in the Solar Winds Worldwide LLC breach, though Malwarebytes noted that it doesn’t use Solar Winds products itself. The intrusion vector involved attackers abusing applications with privileged access to Microsoft Office 365 and Azure environments.

The emails stolen are described only as a “limited subset of internal company emails” with no evidence of unauthorized access or compromise to any of the company internet on-premises or production environments.

The hack wasn’t initially detected by Malwarebytes but the Microsoft Security Response Center. It informed the company Dec. 15 of suspicious activity in its Office 365 tenant consistent with the tactics, techniques and procedures of the APT that targeted Solarwinds. An extensive investigation was launched with the hackers found to have leveraged a dormant email protection product within Malwarebyte’s Office 365 tenant.

The attack method that targeted Malwarebytes was referenced in a U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency alert titled “detecting post-compromise threat activity in Microsoft cloud environments” published Jan. 8. CISA specifically mentioned that it has seen an APT actor using compromised applications on a victim’s Microsoft 365/Azure environment. The APT used additional credentials and application programming interface access to cloud resources of private and public organizations.

The attacks have three components: compromising or bypassing federated identity solutions, using forged authentication to move laterally to Microsoft cloud environments and using privileged access to a victims’ cloud environment to establish difficult-to-detect persistence mechanisms for API-based access.

“While we have learned a lot of information in a relatively short period of time, there is much more yet to be discovered about this long and active campaign that has impacted so many high-profile targets,” noted Malwarebytes co-founder and Chief Executive Officer Marcin Kleczynski. “It is imperative that security companies continue to share information that can help the greater industry in times like these, particularly with such new and complex attacks often associated with nation-state actors.”

Image: Malwarebytes