Analysis of active exploitation of SolarWinds Web Help Desk

Microsoft Defender observed an active campaign exploiting internet-exposed SolarWinds Web Help Desk (WHD) instances to achieve unauthenticated RCE, deploy payloads (including abused RMM tooling), and perform lateral movement and credential theft (LSASS access and DCSync). The report provides technical details, detections, KQL hunting queries, and mitigation guidance (patching WHD, removing unauthorized RMM artifacts, rotating credentials, and isolating hosts).