With the recent, high-profile cyber incidents involving FireEye and SolarWinds, Microsoft has shared information and issued guidance about increased activities from a sophisticated threat actor that is focused on high value targets such as government agencies and cybersecurity companies. It notes that while it isn’t sharing any details specific to individual organizations, it is important to share greater detail about some of the threat activity it has uncovered over the past weeks, along with guidance that security industry practitioners can use to find and mitigate potential malicious activity. Microsoft notes that while some elements aren’t present in every attack, they are generally part of the toolkit of the threat actor. These techniques include an attacker gaining a foothold in the network through malicious code and elevating credentials, using administrative permissions acquired through an on-premises compromise to gain access to an organization’s trusted SAML token- signing certificate, and adding their own credentials to existing application service principals, among other techniques and details. Microsoft adds it is also actively looking for indicators in the Microsoft environment and, to date, has not found evidence of a successful attack. Read the blog at Microsoft.