The Cybersecurity and Infrastructure Security Agency says it has evidence that hackers are breaching the federal government's networks by other paths than the recently discovered vulnerabilities in SolarWinds Orion. "Specifically, we are investigating incidents in which activity indicating abuse of Security Assertion Markup Language (SAML) tokens consistent with this adversary's behavior is present, yet where impacted SolarWinds instances have not been identified," according to updated guidance published Wednesday. "CISA is continuing to work to confirm initial access vectors and identify any changes to the tactics, techniques, and procedures (TTPs)." Characteristics such as a SAML tokens having a 24-hour validity periods or not containing multi-factor authentication details where expected are red flags.