In a blog post, Malwarebytes' Marcin Kleczynski confirmed the existence of another intrusion vector, but did not say what it was, only that it worked using privileged access through Microsoft Office 365 and Azure environments.

He said Malwarebytes had been told by the Microsoft Security Response Centre on 15 December about suspicious activity from a third-party application in its Microsoft Office 365 tenant.

"We immediately activated our incident response group and engaged Microsoft’s Detection and Response Team," Kleczynski wrote. "Together, we performed an extensive investigation of both our cloud and on-premises environments for any activity related to the API calls that triggered the initial alert.

"The investigation indicates the attackers leveraged a dormant email protection product within our Office 365 tenant that allowed access to a limited subset of internal company emails. We do not use Azure cloud services in our production environments."

And to be clear, the application itself was not compromised. It was simply leveraged for email access purposes.

— Marcin Kleczynski (@mkleczynski) January 19, 2021

He was asked on Twitter whether this email product was Mimecast but replied in the negative. "A dormant email protection application was leveraged, one that we were trialing. Blog edited to clarify," he said.

Mimecast said on 13 January that it had been informed by Microsoft that a certificate it issued for authentication of Mimecast Sync and Recover, Continuity Monitor, and IEP products to Microsoft 365 Exchange Web Services had been compromised.

Kleczynski said due to the supply chain nature of the SolarWinds attack, and exercising caution, "we immediately performed a thorough investigation of all Malwarebytes source code, build and delivery processes, including reverse engineering our own software".

"Our internal systems showed no evidence of unauthorised access or compromise in any on-premises and production environments. Our software remains safe to use."