Back

Storm-2949 Cyberattack Targets Microsoft 365 and Azure Data

Severity: High (Score: 71.0)

Sources: Blogs.Microsoft, Thecyberexpress, Bleepingcomputer, Scworld, Gbhackers

Published: 2026-05-19 · Updated: 2026-05-20

Keywords: storm-2949, identity, into, threat, microsoft, details, turned

Summary

Microsoft has reported a significant cyberattack by the threat actor Storm-2949, which exploited Microsoft Entra ID accounts to conduct a large-scale data theft from Microsoft 365 and Azure environments. The attack involved social engineering tactics to compromise high-privilege user accounts, using the Self-Service Password Reset (SSPR) process to reset passwords and bypass multi-factor authentication (MFA). Once inside, the attackers utilized Microsoft Graph API and custom Python scripts to enumerate users and access sensitive data, including VPN configurations and operational files. They expanded their reach into Azure infrastructure, compromising virtual machines, storage accounts, and Azure Key Vaults to extract critical secrets and credentials. The attack exemplifies a shift towards using legitimate cloud management features for malicious purposes, avoiding traditional malware deployment. Microsoft has confirmed that multiple organizations have been affected, with ongoing investigations into the full scope of the breach. Key Points: • Storm-2949 exploited Microsoft Entra ID accounts to steal sensitive data from Microsoft 365 and Azure. • Attackers used social engineering to bypass MFA and reset passwords of high-privilege accounts. • The breach involved extensive data theft, including VPN configurations and Azure Key Vault secrets.

Detailed Analysis

**Impact** Storm-2949 targeted organizations using Microsoft 365 and Azure cloud environments, focusing on privileged users including IT staff and senior leadership. The attackers exfiltrated thousands of sensitive files from OneDrive and SharePoint, including VPN configurations and remote access documents, and accessed production Azure subscriptions containing critical infrastructure data such as Azure Key Vault secrets, SQL databases, and storage accounts. The campaign affected multiple organizations globally, with significant risk to enterprise cloud data confidentiality and operational continuity. **Technical Details** The attack began with social engineering targeting Microsoft’s Self-Service Password Reset (SSPR) process to hijack privileged Microsoft Entra ID accounts by tricking victims into approving MFA prompts. Attackers removed existing MFA methods and enrolled their own devices to maintain persistent access. They used Microsoft Graph API with custom Python scripts for directory enumeration and reconnaissance, abused Azure RBAC permissions to access Azure App Services, Key Vaults, SQL servers, and storage accounts, and deployed tools like ScreenConnect for remote access. No malware or CVEs were reported as exploited; the attackers relied on abusing legitimate cloud management features and administrative tools. **Recommended Response** Enforce phishing-resistant MFA for all users, especially those with privileged roles, and apply the principle of least privilege to Azure RBAC permissions. Harden SSPR processes and implement conditional access policies to detect and block anomalous MFA approvals. Monitor Azure Key Vault logs for suspicious access and maintain logs for at least one year. Restrict public access to Azure Key Vaults, limit access to sensitive storage, and deploy detections for unusual Microsoft Graph API queries and abnormal use of Azure VM management features.

Source articles (5)

  • Microsoft Details Storm — Thecyberexpress · 2026-05-19
    Microsoft Threat Intelligence has disclosed details of a cyberattack carried out by a threat actor tracked as Storm-2949, which escalated from a targeted identity compromise into a large-scale breach…
  • Storm-2949 actor targets Microsoft 365 and Azure environments | brief — Scworld · 2026-05-20
    A threat actor, tracked as Storm-2949, is actively targeting Microsoft 365 and Azure production environments by abusing legitimate applications and administration features to steal sensitive data. The…
  • Microsoft Self — Bleepingcomputer · 2026-05-19
    A threat actor targeting Microsoft 365 and Azure production environments is stealing data in attacks that abuse legitimate applications and administration features. Microsoft tracks the actor as Storm…
  • Hackers Exploit Entra ID Accounts to Steal Microsoft 365, Azure Data — Gbhackers · 2026-05-19
    Hackers Abuse Microsoft Entra ID Accounts to Exfiltrate Microsoft 365 and Azure Data. A highly sophisticated cyberattack campaign carried out by a threat actor tracked as Storm-2949, targeting Microso…
  • How Storm-2949 turned a compromised identity into a cloud — Blogs.Microsoft · 2026-05-18
    Storm-2949 turned stolen credentials into a cloud-wide breach, moving from identity compromise to large-scale data theft without using malware. This incident shows how threat actors can exploit truste…

Timeline

  • 2026-05-18 — Microsoft discloses Storm-2949 attack details: Microsoft revealed that Storm-2949 exploited identities to conduct a cloud-wide breach, focusing on data theft from Microsoft 365 and Azure.
  • 2026-05-19 — BleepingComputer reports on SSPR abuse: BleepingComputer detailed how Storm-2949 abused the Self-Service Password Reset process to hijack accounts and exfiltrate data.
  • 2026-05-19 — Thecyberexpress covers attack methodology: Thecyberexpress outlined the attack's methodology, including the use of social engineering and cloud management tools to conduct the breach.
  • 2026-05-19 — Gbhackers reports on data exfiltration: Gbhackers reported on the sophisticated techniques used by Storm-2949 to exploit Entra ID accounts and steal data.

Related entities

  • Data Breach (Attack Type)
  • Phishing (Attack Type)
  • Microsoft (Company)
  • Azure (Company)
  • T1003 - OS Credential Dumping (Mitre Attack)
  • T1021 - Remote Services (Mitre Attack)
  • T1041 - Exfiltration Over C2 Channel (Mitre Attack)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1059.006 - Python (Mitre Attack)
  • T1069.001 - Local Groups (Mitre Attack)
  • T1069 - Permission Groups Discovery (Mitre Attack)
  • T1078 - Valid Accounts (Mitre Attack)
  • T1087 - Account Discovery (Mitre Attack)
  • T1136 - Create Account (Mitre Attack)
  • T1562.001 - Disable Or Modify Tools (Mitre Attack)
  • T1562.004 - Disable Or Modify System Firewall (Mitre Attack)
  • T1566 - Phishing (Mitre Attack)
  • Azure App Services (Platform)
  • Azure Instance Metadata Service (Platform)
  • Azure Key Vault (Platform)
  • Azure SQL (Platform)
  • Azure Storage (Platform)
  • Azure Virtual Machines (Platform)
  • Kudu (Platform)
  • Microsoft 365 (Platform)
  • Microsoft Entra ID (Platform)
  • SharePoint (Platform)
  • Microsoft Graph API (Tool)
  • OneDrive (Tool)
  • ScreenConnect (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed