TechBooky AI Assistant
TechBooky AI Assistant
👋 Welcome to TechBooky AI Assistant

I can help with:
🔎 Tech News
🤖 AI Topics
💻 Gadgets
☁️ Cloud
✍️ Guest Posts
📢 Advertising
🔗 Backlinks
📩 Newsletter
  • AI Search
  • Cryptocurrency
  • Earnings
  • Enterprise
  • About TechBooky
  • Submit Article
  • Advertise Here
  • Contact Us
TechBooky
  • African
  • AI
  • Metaverse
  • Gadgets
Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
Search in posts
Search in pages
  • African
  • AI
  • Metaverse
  • Gadgets
Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
Search in posts
Search in pages
TechBooky
Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
Search in posts
Search in pages
Home Security

Hackers Abuse Microsoft Password Reset to Steal Data

Akinola Ajibola by Akinola Ajibola
May 21, 2026
in Security
Share on FacebookShare on Twitter

Data is being stolen by a threat actor who is targeting Microsoft 365 and Azure production installations using assaults that misuse administrator features and valid applications.

The attack’s goal, according to Microsoft, is “to exfiltrate as much sensitive data from a target organization’s high-value assets as possible.” The actor is identified as Storm-2949.

In order to access data in Microsoft 365 applications, Storm-2949 employed social engineering to target users with privileged responsibilities, such as IT staff or senior leadership, and obtain their Microsoft Entra ID credentials.

According to Microsoft, the Self-Service Password Reset (SSPR) flow, in which an attacker starts a password reset for a targeted employee’s account and subsequently deceives the victim into accepting multi-factor authentication (MFA) prompts, is allegedly misused by the actor.

The hacker pretends to be an IT support worker who needs the account to be verified immediately in order to make the hoax seem more plausible.

After that, the hacker enabled Microsoft Authenticator on their device, changed the password, and disabled the MFA controls.

Using the Microsoft Graph API and custom Python scripts, Storm-2949 targeted Microsoft 365 apps, enumerated people, roles, applications, and service principals, and assessed the long-term persistence prospects in each scenario.

They then used Microsoft 365’s OneDrive and SharePoint to check for VPN settings and IT operational files in order to find remote access information that would be useful for lateral movement from the cloud into the endpoint network.

Microsoft says that “Storm-2949 downloaded thousands of files to their own infrastructure in a single action using the OneDrive web interface.”

“All compromised user accounts exhibited this pattern of data theft, probably as a result of different identities having access to different shared directories and folders.”

The victim’s Azure infrastructure, including virtual machines, storage accounts, key vaults, app services, and SQL databases, was also targeted by Storm-2949.

Switching to Azure: Microsoft claims that the attacker gained access to several identities with privileged bespoke Azure role-based access control (RBAC) roles on several Azure subscriptions.

They were able to “uncover and extract the most sensitive assets within the victim’s Azure environment, specifically from production-based Azure subscriptions.”

Storm-2949 obtained credentials to install FTP, Web install, and the Kudu console for administering Azure App services by taking advantage of the compromised user’s privileged Azure RBAC rights.

The actor could now examine environment variables, traverse the file system, and remotely carry out operations within the context of the application.

After that, Storm-2949 switched to Azure Key Vaults, where they stole numerous secrets, including connection strings and database credentials, and altered access settings.

By altering firewall and network access rules, obtaining storage keys and SAS tokens, and exfiltrating data using bespoke Python scripts, the attackers also targeted Azure SQL servers and storage accounts.

Additionally, according to Ganacharya, the Storm-2949 malicious activity is unrelated to the recent Microsoft Entra SSO and device code phishing threats [1, 2, 3].

Microsoft advises adhering to security hardening and best practices, such as implementing the least privilege principle, enabling conditional access policies, adding MFA protection for all users, and guaranteeing phishing-resistant MFA for users with privileged roles, such as administrators, in order to fend off Storm-2949 attacks.

The company recommends limiting Azure RBAC permissions, limiting access to Key Vault, limiting public access to Key Vaults, employing data protection options in Azure Storage, monitoring for high-risk Azure management operations, and retaining Azure Key Vault logs up to a year in order to secure cloud resources. 

In addition to comprehensive mitigation and prevention guidelines, Microsoft’s whitepaper offers indicators of compromise for the reported threats. 

To protect enterprise environments from these SSPR-based social engineering attacks, security teams should consider implementing several key architectural defenses.

Firstly, organisations should enforce phishing-resistant multi-factor authentication. This means upgrading high-risk, privileged, and administrative roles to use stronger mechanisms such as FIDO2 security keys or certificate-based authentication.

Secondly, security teams need to tighten SSPR requirements. Specifically, they should adjust Entra ID policies to require two verification methods for self-service password resets instead of relying on just a single prompt or an SMS factor as an alternative.

Third, companies should adopt a strict least-privilege RBAC model. By severely limiting Azure Role-Based Access Control permissions, organizations can ensure that a compromised account cannot easily access secondary high-value storage accounts or key vaults.

Finally, teams must prioritize audit and log retention. This involves retaining Azure Key Vault logs for up to one full year while continuously monitoring for high-risk management operations or any anomalous data access patterns.

Related Posts:

  • microsoft-authenticator_fhch
    Critical Vulnerability In Microsoft Authenticator…
  • Announcing-the-new-admin-center-1c
    Microsoft 365 Admin Center Logins Will Require MFA
  • csm_1200x630wa_5026e9630c
    Microsoft Pushes Edge & Disables Authenticator Autofill
  • 1756485691039
    Microsoft to Enforce MFA on Azure Resource…
  • Chinaflag_computercode_MykhailoPolenok-AlamyStockPhoto
    New Malware Deployed By Chinese APT To Retain Access…
  • Microsoft Teams
    Microsoft Teams Vulnerability Exposes User Systems
  • skynews-russia-hacker_5812455
    Russian Hackers Target WhatsApp for Data on Ukraine
  • Nigeria-Police-oje751ajvij3f7dy7z0qk7rmbhejx6zy56z3i8uxdc
    Nigerian Authorities Arrest Developer Linked to…

Discover more from TechBooky

Subscribe to get the latest posts sent to your email.

Tags: azurehackersmicrosoftmicrosoft 365password
Akinola Ajibola

Akinola Ajibola

BROWSE BY CATEGORIES

Receive top tech news directly in your inbox

subscription from
Loading

Freshly Squeezed

  • Trunk Tools Ditches General-Purpose LLMs To Tame Construction’s “Ugly” Data July 6, 2026
  • Analyst Warns Apple’s first foldable iPhone Could be Hard to Get at Launch July 6, 2026
  • Meta Is Becoming a Cloud Computing Company July 2, 2026
  • Z.ai Unveils ZCode, an “Agentic” AI Coding Environment Built Around GLM-5.2 July 2, 2026
  • Tesla’s Vehicle Deliveries Are Growing Again, But Wall Street Is Looking Beyond EV Sales July 2, 2026
  • Google Loses Final Android Antitrust Appeal as EU Upholds €4.1 Billion Fine July 2, 2026
  • Discord Launches Native App for Meta Quest VR Headsets July 1, 2026
  • Fable 5 Is Back: Anthropic’s Most Powerful AI Returns After U.S. Government Ban July 1, 2026
  • Google’s Gemini Can Now Take Notes For You In Google Meet June 30, 2026
  • Cursor Brings Its AI Coding Agents to Mobile With New App June 30, 2026
  • TIDAL Moves to Block Payouts for Fully AI‑Generated Music June 30, 2026
  • OpenClaw Brings Its Agentic AI Apps to iOS and Android June 30, 2026

Browse Archives

July 2026
MTWTFSS
 12345
6789101112
13141516171819
20212223242526
2728293031 
« Jun    

Quick Links

  • About TechBooky
  • Advertise Here
  • Contact us
  • Submit Article
  • Privacy Policy
Generic selectors
Exact matches only
Search in title
Search in content
Post Type Selectors
Search in posts
Search in pages
  • African
  • Artificial Intelligence
  • Gadgets
  • Metaverse
  • Tips
  • AI Search
  • About TechBooky
  • Advertise Here
  • Submit Article
  • Contact us

© 2025 Designed By TechBooky Elite

Discover more from TechBooky

Subscribe now to keep reading and get access to the full archive.

Continue reading

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.