This is a frustratingly vague and meandering disclosure. So someone breached an “email protection product” with access to Malwarebytes’ Office 365 environment, and in doing so they used an administrative credential that was also used by the SolarWinds actor, therefore Microsoft concludes it’s the same actor? Is that it?

Of course. The link is visible with the naked eye. /s

If they use solar winds products they have bigger problems.