In some of the attacks, the intruders combined the administrator privileges granted to SolarWinds with Microsoft’s Azure cloud platform – which stores customers’ data online – to forge authentication “tokens.” Those gave them far longer and wider access to emails and documents than many organizations thought was possible.

Hackers could then steal documents through Microsoft’s Office 365, the online version of its most popular business software, the NSA said on Thursday in an unusual technical public advisory. Also on Thursday, Microsoft announced it found malicious code in its systems.

A separate advisory issued by the U.S. Cybersecurity and Infrastructure Security Agency on Dec. 17 said that the SolarWinds software was not the only vehicle being used in the attacks and that the same group had likely used other methods to implant malware.

“This is powerful tradecraft, and needs to be understood to defend important networks,” Rob Joyce, a senior NSA cybersecurity adviser, said on Twitter.