SolarWinds attackers managed to gain access to internal emails via a different intrusion vector. This was confirmed by Malwarebytes, who stated that a second threat vector was used to infiltrate private emails with the use of password guessing or spraying and/or exploiting admin or service credentials.
The vendor reported suspicious activity on December 15 and linked it to the same threat actor involved in the SolarWinds attacks. “The investigation indicates the attackers leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails. We do not use Azure cloud services in our production environments.”
Fortunately, Malwarebytes found no evidence of unauthorised access or compromise of its on-premises or production environments.