we are currently investigating in an attack which happened today morning to ona demo site.
It also infected Hummingbird and other files - about 3 - 5 pm GMT +7.
Defender did NOT detect those activities and also not report the accesses. Suggestion for the devs. Please add a way to send a report of the audit file immediately which makes investigation much easier - one day is simply to long as shortest period when serious attacks happen!
The attackers were able to upload and unzip files and execute them as they disabled somehow the setting that php files can't be executed which had been set by defender previously.
Besides inserting files into the main directory of that WordPress site they placed files in several other locations, most with cryptic text and code.
They also went into the .well-known folder of let's encrypt and placed a copy of xml_rpc.class.php here plus a .htaccess and an index file.
The defender log shows login failures for a user named phuket, test, and some other usernames over a longer period of time yesterday evening and today morning until now.
They placed files in wp-content folder and modified the .htaccess with a rewrite rule. Additionally, they went deeper the folder structure and placed similar files often with very common and harmless looking names in subfolders incl. hummingbird and favicon file.
... got affected too.