A global cyber-attack that affected companies around the world may have started via corrupted updates on a piece of accountancy software.
Fingers are increasingly pointing to a piece of Ukrainian tax-filing software, MEDoc, as the source of the infection, although the company denies it.
A growing number of security experts, including the British malware expert Marcus Hutchins - credited with ending the WannaCry ransomware outbreak - claim to have logs that reveal MEDoc as the source.
In email correspondence with the BBC, Mr Hutchins said: "It looks like the software's automatic update system was compromised and used to download and run malware rather than updates for the software."
It was not yet clear how it had been compromised, he added.
MEDoc has denied the claims, in a Facebook post - but in a blog post analysing how the infection had taken hold on Windows machines, Microsoft also points the finger at the accounting software: "Active infections of the ransomware initially started from the legitimate MEDoc update process," it writes.
Alan Woodward, a computer scientist from the University of Surrey, said: "The ironic thing about this situation (if it proves to be the case) is that we always advise users to keep their software up to date, ideally using automated updates. However, it assumes hackers can't take over the update process and misuse it."
Most security experts agree that the virus, thought to be a new variant of the Petya ransomware, was spread using a Windows vulnerability known as Eternal Blue, discovered by the National Security Agency and leaked online.
Mr Hypponen told the BBC that it was "completely clear" that hackers in both WannaCry and Petya outbreaks had used the NSA exploit.
The fact that it had now been leaked and was being used by criminal or political hackers was "a nightmare scenario" for the intelligence agency, he said: "It chose to use the exploit, not tell Microsoft about it and weaponise it, and now it has been leaked, made public and used in an attack," he said.