MICROSOFT Threat Intelligence researchers describe Storm-2949 conducting a two‑phase campaign that began with targeted identity compromise and progressed to cloud infrastructure takeover, exfiltrating data from Microsoft 365, file hosting, and Azure production environments.
The attackers relied on social engineering and abuse of Self-Service Password Reset to hijack Entra IDs, disable MFA temporarily, re‑enable MFA for themselves, and register a new authentication method, enabling persistent access across multiple users including IT staff and senior leaders.
Following this, they conducted directory discovery via Microsoft Graph API, attempted to add credentials to a compromised service principal, and then moved into Azure resources, focusing on App Service, Key Vaults, Storage, and SQL databases, with several Azure RBAC roles enabling broad access.
In one sequence, they pivoted to a production Azure App Service ecosystem and, within four minutes, manipulated Key Vault access configurations and accessed dozens of secrets, including credentials enabling access to the main production web app, which they subsequently exfiltrated. They also deployed the ScreenConnect tool and used VM extensions to harvest credentials and map additional assets, while Defender alerts helped tie endpoint and cloud activity into a single incident.
According to Microsoft Defender Security Research Team, this attack highlights how compromised cloud identities can fuel cloud‑wide breaches, underscoring the need for cross‑domain visibility, threat hunting, and reinforced identity and cloud controls.