This post contains technical details about the methods of the actor we believe was involved in Recent Nation-State Cyber Attacks. This is a summary of techniques that are part of the toolkit of this actor. An intrusion through malicious code in the SolarWinds Orion product results in the attacker gaining a foothold in the network, which the attacker can use to gain elevated credentials. Anomalous logins using the SAML tokens created by the compromised token signing certificate can then be made against any on-premises resources (regardless of identity system or vendor)”]
Source: https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/