Data is being stolen by a threat actor who is targeting Microsoft 365 and Azure production installations using assaults that misuse administrator features and valid applications.
The attack’s goal, according to Microsoft, is “to exfiltrate as much sensitive data from a target organization’s high-value assets as possible.” The actor is identified as Storm-2949.
In order to access data in Microsoft 365 applications, Storm-2949 employed social engineering to target users with privileged responsibilities, such as IT staff or senior leadership, and obtain their Microsoft Entra ID credentials.
According to Microsoft, the Self-Service Password Reset (SSPR) flow, in which an attacker starts a password reset for a targeted employee’s account and subsequently deceives the victim into accepting multi-factor authentication (MFA) prompts, is allegedly misused by the actor.
The hacker pretends to be an IT support worker who needs the account to be verified immediately in order to make the hoax seem more plausible.
After that, the hacker enabled Microsoft Authenticator on their device, changed the password, and disabled the MFA controls.
Using the Microsoft Graph API and custom Python scripts, Storm-2949 targeted Microsoft 365 apps, enumerated people, roles, applications, and service principals, and assessed the long-term persistence prospects in each scenario.
They then used Microsoft 365’s OneDrive and SharePoint to check for VPN settings and IT operational files in order to find remote access information that would be useful for lateral movement from the cloud into the endpoint network.
Microsoft says that “Storm-2949 downloaded thousands of files to their own infrastructure in a single action using the OneDrive web interface.”
“All compromised user accounts exhibited this pattern of data theft, probably as a result of different identities having access to different shared directories and folders.”
The victim’s Azure infrastructure, including virtual machines, storage accounts, key vaults, app services, and SQL databases, was also targeted by Storm-2949.
Switching to Azure: Microsoft claims that the attacker gained access to several identities with privileged bespoke Azure role-based access control (RBAC) roles on several Azure subscriptions.
They were able to “uncover and extract the most sensitive assets within the victim’s Azure environment, specifically from production-based Azure subscriptions.”
Storm-2949 obtained credentials to install FTP, Web install, and the Kudu console for administering Azure App services by taking advantage of the compromised user’s privileged Azure RBAC rights.
The actor could now examine environment variables, traverse the file system, and remotely carry out operations within the context of the application.
After that, Storm-2949 switched to Azure Key Vaults, where they stole numerous secrets, including connection strings and database credentials, and altered access settings.
By altering firewall and network access rules, obtaining storage keys and SAS tokens, and exfiltrating data using bespoke Python scripts, the attackers also targeted Azure SQL servers and storage accounts.
Additionally, according to Ganacharya, the Storm-2949 malicious activity is unrelated to the recent Microsoft Entra SSO and device code phishing threats [1, 2, 3].
Microsoft advises adhering to security hardening and best practices, such as implementing the least privilege principle, enabling conditional access policies, adding MFA protection for all users, and guaranteeing phishing-resistant MFA for users with privileged roles, such as administrators, in order to fend off Storm-2949 attacks.
The company recommends limiting Azure RBAC permissions, limiting access to Key Vault, limiting public access to Key Vaults, employing data protection options in Azure Storage, monitoring for high-risk Azure management operations, and retaining Azure Key Vault logs up to a year in order to secure cloud resources.
In addition to comprehensive mitigation and prevention guidelines, Microsoft’s whitepaper offers indicators of compromise for the reported threats.
To protect enterprise environments from these SSPR-based social engineering attacks, security teams should consider implementing several key architectural defenses.
Firstly, organisations should enforce phishing-resistant multi-factor authentication. This means upgrading high-risk, privileged, and administrative roles to use stronger mechanisms such as FIDO2 security keys or certificate-based authentication.
Secondly, security teams need to tighten SSPR requirements. Specifically, they should adjust Entra ID policies to require two verification methods for self-service password resets instead of relying on just a single prompt or an SMS factor as an alternative.
Third, companies should adopt a strict least-privilege RBAC model. By severely limiting Azure Role-Based Access Control permissions, organizations can ensure that a compromised account cannot easily access secondary high-value storage accounts or key vaults.
Finally, teams must prioritize audit and log retention. This involves retaining Azure Key Vault logs for up to one full year while continuously monitoring for high-risk management operations or any anomalous data access patterns.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
