Microsoft Threat Intelligence has disclosed details of a cyberattack carried out by a threat actor tracked as Storm-2949, which escalated from a targeted identity compromise into a large-scale breach of cloud infrastructure and sensitive enterprise systems. The campaign focused heavily on data theft from Microsoft 365 services, Azure-hosted production environments, and cloud storage resources, demonstrating how compromised identities can become gateways to an organization’s entire cloud ecosystem.
According to Microsoft, the attack unfolded in two primary stages: an initial identity compromise phase followed by a broader cloud infrastructure takeover. Rather than deploying traditional malware or relying on conventional on-premises attack methods, the attackers abused legitimate cloud administration tools and Azure management features to blend into normal activity while gaining access to high-value systems.
Attackers Abused MFA Reset Processes to Hijack High-Privilege Accounts
The attackers first targeted employees through social engineering techniques linked to Microsoft’s Self-Service Password Reset (SSPR) process. Investigators believe Storm-2949 impersonated internal IT support personnel and persuaded victims to approve multifactor authentication (MFA) requests under the guise of routine account verification or password reset procedures.
Once a targeted user applies the MFA prompts, the attackers reset account passwords and remove existing authentication methods, including phone numbers, email addresses, and Microsoft Authenticator registrations. This effectively neutralized MFA protections and locked legitimate users out of their accounts. The attackers then registered their own devices for Microsoft Authenticator access, ensuring persistent control over the compromised accounts.
Microsoft said the group repeated this process against multiple employees, including IT staff and senior leadership personnel, indicating deliberate targeting of users with elevated access privileges.
After gaining access, Storm-2949 began conducting directory discovery operations using Microsoft Graph API queries executed through a custom Python script. The attackers enumerated users, applications, and service principals within the Microsoft Entra ID tenant to identify privileged accounts and map potential paths for expanding access.
The attackers also attempted to establish persistence by adding credentials to a compromised service principal, though this effort reportedly failed because of insufficient permissions. Despite that setback, they continued probing service principals and application identifiers to identify additional long-term access opportunities.
The campaign quickly expanded into Microsoft 365 services such as OneDrive and SharePoint. Microsoft said the attackers focused particularly on sensitive IT-related documents involving VPN configurations and remote access procedures, suggesting they were searching for methods to move laterally into other environments.
In one instance, Storm-2949 used the OneDrive web interface to download thousands of files in a single operation. Similar exfiltration activity occurred across multiple compromised accounts, likely because each user account had access to different shared folders and repositories.
Azure Key Vaults, SQL Servers, and Storage Accounts Became Primary Targets
With several compromised identities under their control, the attackers shifted attention to Azure subscriptions connected to the organization’s production environment. The accounts they compromised reportedly possessed privileged custom Azure role-based access control (RBAC) permissions, enabling broader access to Azure services and infrastructure.
Microsoft said the attackers targeted Azure App Services, Key Vaults, Storage accounts, SQL databases, and virtual machines. One of their key objectives involved compromising a production Azure App Service web application that contained sensitive data.
After several failed attempts to directly access the primary application due to network and gateway restrictions, the attackers pivoted to secondary applications within the same ecosystem, including authentication services and internal APIs. Using privileged Azure RBAC permissions, they exploited the “microsoft.Web/sites/publishxml/action” management-plane operation to retrieve publishing profiles containing deployment credentials for services such as FTP, Web Deploy, and the Kudu management console.
Kudu, an administrative interface for Azure App Services, enabled the attackers to inspect environment variables, browse application files, and execute commands within compromised applications. However, Microsoft noted that the secondary services did not provide the level of access or sensitive information the attackers ultimately sought.
Storm-2949 then redirected its efforts toward Azure Key Vault resources. One compromised account held the Owner role over a Key Vault believed to contain credentials linked to the primary production application. Within a four-minute period, the attackers altered Key Vault access settings and accessed dozens of secrets, including database connection strings and identity credentials.
Microsoft believes these secrets ultimately enabled access to the main production web application. After authenticating successfully, the attackers changed the application password to maintain control and began exfiltrating sensitive data.
The campaign also involved attacks against Azure SQL servers and Storage accounts. To gain access to SQL infrastructure, the attackers modified firewall rules through the “microsoft.sql/servers/firewallrules/write” operation, then connected using credentials retrieved from the compromised Key Vault. Once data exfiltration was completed, the altered firewall rules were deleted in what Microsoft described as a defense-evasion tactic.
Similarly, the attackers manipulated Azure Storage account network access configurations through the “microsoft.storage/storageaccounts/write” operation, enabling public access from attacker-controlled IP addresses. They also used the “microsoft.Storage/storageAccounts/listkeys/action” operation to retrieve storage account keys and Shared Access Signature (SAS) tokens.
Using a custom Python script built on the Azure Storage SDK, Storm-2949 downloaded large volumes of data directly from Azure Storage accounts over several days. Microsoft said the attackers alternated between OAuth-based authentication and secret-based authentication methods as defensive controls evolved.
Microsoft Says Cloud Management Features Were Weaponized for Stealthy Data Exfiltration
Virtual machines also became a target. The attackers abused Azure VM extensions, including VMAccess and Run Command, to establish administrator-level access on compromised systems. By deploying the VMAccess extension, they created new local administrator accounts on targeted VMs.
The attackers also attempted to exploit managed identities assigned to virtual machines by requesting access tokens from the Azure Instance Metadata Service (IMDS). They then tried using those tokens to access production-related Key Vaults, though Microsoft said these attempts failed because the managed identities lacked sufficient permissions.
Additional Run Command activity involved deploying PowerShell scripts designed to disable Microsoft Defender Antivirus protections, including real-time monitoring and behavior-based detection. The scripts also attempted to interfere with security services, clear Windows event logs, erase command histories, and remove temporary files to reduce forensic visibility.
Microsoft said the attackers installed ScreenConnect remote management software from infrastructure under their control and disguised the installation to resemble legitimate Windows software updates. The malicious service was renamed to mimic authentic Windows components in an effort to avoid detection.
The attackers later used ScreenConnect to perform reconnaissance activities across compromised systems, including collecting host configuration data, enumerating users and groups, searching for exposed credentials, and exfiltrating .pfx certificate files that may have contained private keys useful for future access.
Despite extensive activity on endpoint systems, investigators found limited evidence that Storm-2949 successfully obtained high-value endpoint data. Microsoft said the endpoint compromises primarily served operational purposes such as credential harvesting, reconnaissance, and expanding access throughout the victim’s environment.
Throughout the intrusion, Microsoft Defender generated multiple alerts that enabled analysts to correlate cloud, identity, and endpoint telemetry into a unified investigation. Microsoft said the incident demonstrates the growing importance of integrated detection and response capabilities as attackers target cloud identities and management planes instead of relying solely on traditional endpoint-focused attacks.
