"CISA has evidence of additional initial access vectors, other than the SolarWinds Orion platform; however, these are still being investigated. CISA will update this Alert as new information becomes available," the agency said in the report. The agency is investigating incidents where victims were compromised in the same campaign but without the malicious Orion code. They also point to security vendor Volexity's report of a think tank that was compromised via an attack that bypassed Duo and other multifactor authentication to reach its Outlook Web App. "Volexity attributes this intrusion to the same activity as the SolarWinds Orion supply chain compromise, and the TTPs are consistent between the two. This observation indicates that there are other initial access vectors beyond SolarWinds Orion, and there may still be others that are not yet known," CISA said.