A threat actor tracked as Storm-2949 is accused of chaining a Microsoft Entra ID credential theft scheme—by abusing Self-Service Password Reset and tricking privileged users into approving MFA—into large-scale data theft across Microsoft 365 and production Azu
For an intruder, the most dangerous trick isn’t breaking a password—it’s getting a trusted person to reset it.
Microsoft says a threat actor targeting Microsoft 365 and Azure production environments is stealing data by abusing legitimate application and administration features. The actor. tracked as Storm-2949. is described by Microsoft as using social engineering to obtain credentials and then move deeper into a victim’s cloud environment.
Microsoft’s stated aim is blunt: to “exfiltrate as much sensitive data from a target organization’s high-value assets as possible.” Storm-2949 focused on users with privileged roles. including IT personnel and members of senior leadership. using those positions to reach Microsoft Entra ID credentials that then opened the door to Microsoft 365 applications.
Microsoft believes the key entry point was the Self-Service Password Reset (SSPR) flow. In the scenario Microsoft described. an attacker initiates a password reset for a targeted employee’s account and then tricks the victim into approving multi-factor authentication (MFA) prompts. To make the ruse credible, the attacker poses as an IT support employee asking for urgent account verification.
Once the victim approves, Microsoft says the attacker reset the password, removed MFA controls, and enrolled Microsoft Authenticator on their own device. From there, the breach became less about access and more about reach.
After hijacking accounts, Storm-2949 used the Microsoft Graph API and custom Python scripts to enumerate users, roles, applications, and service principals—and to check where long-term persistence might be possible.
Then the attacker moved into Microsoft 365. using OneDrive and SharePoint to search for VPN configurations and IT operational files—material that could support movement from the cloud into an endpoint network. In one instance. Microsoft says Storm-2949 used the OneDrive web interface to download thousands of files in a single action to the attacker’s own infrastructure.
Microsoft adds that this data-theft pattern repeated across all compromised user accounts. The reason, Microsoft says, was practical: different identities had access to different folders and shared directories.
From Microsoft 365, Storm-2949 expanded into the victim’s Azure infrastructure, targeting virtual machines, storage accounts, key vaults, app services, and SQL databases.
In Azure. Microsoft says the attacker compromised multiple identities that had privileged custom Azure role-based access control (RBAC) roles on multiple Azure subscriptions. With those permissions. the attacker was able to “uncover and extract the most sensitive assets within the victim’s Azure environment. specifically from production-based Azure subscriptions.”.
Those same RBAC privileges also let Storm-2949 obtain credentials to deploy FTP. Web Deploy. and the Kudu console to manage Azure App services. From that foothold. Microsoft says the actor could browse the file system. check environment variables. and execute commands remotely within the app’s context.
Next came Azure Key Vault. Microsoft says Storm-2949 modified access settings and stole dozens of secrets, including database credentials and connection strings.
The attacker also targeted Azure SQL servers and Storage accounts by changing firewall and network access rules, retrieving storage keys and SAS tokens, and exfiltrating data using custom Python scripts.
Inside Azure VM management, Microsoft says Storm-2949 abused features such as VMAccess and Run Command to create rogue administrator accounts, execute remote scripts, and steal credentials.
In the later stages, Microsoft reports that Storm-2949 deployed the ScreenConnect remote access tool on compromised systems, attempted to disable Microsoft Defender protections, and wiped forensic evidence.
There’s a hard-earned logic to the sequence Microsoft lays out: the intrusion begins with a seemingly routine password reset process, then turns into credential capture, cloud-wide discovery, and finally extraction of high-value production assets—secrets, keys, tokens, and operational files.
To be clear, Microsoft notes that it uses “Storm” as a temporary designation for threat activity that has yet to be classified because it is new, emerging, or developing.
Microsoft’s recommended defenses are aimed at breaking the chain early and limiting what attackers can do once they have access. For general protection against Storm-2949. the company advises adopting the principle of least privilege. enabling conditional access policies. adding MFA protection for all users. and ensuring phishing-resistant MFA for users with privileged roles such as administrators.
For cloud-specific protection. Microsoft says organizations should limit Azure RBAC permissions. keep Azure Key Vault logs up to a year. reduce access to Key Vault. restrict public access to Key Vaults. use data protection options in Azure Storage. and monitor for high-risk Azure management operations.
Microsoft’s report includes indicators of compromise for the observed attacks, along with extensive mitigation and protection guidance—because in cases like this, the hardest part isn’t noticing the breach. It’s recognizing how easily a normal admin flow can be turned into a doorway for theft.
Storm-2949 Microsoft Self-Service Password Reset SSPR Microsoft Entra ID MFA Azure RBAC Azure Key Vault OneDrive SharePoint Kudu Web Deploy ScreenConnect data exfiltration cybersecurity cloud security