O RLY CYBER(microsoft.com) Storm-2949: A Sophisticated Cloud-Centric Attack Leveraging Identity Compromise and Legitimate Azure Features for Data Exfiltration
Storm-2949 exploited identity compromise and legitimate Azure features to exfiltrate sensitive data from cloud environments, bypassing MFA via SSPR abuse.
In brief - Threat actor Storm-2949 targeted cloud infrastructure by abusing Microsoft’s Self-Service Password Reset (SSPR) to bypass MFA, gaining persistent access to high-value accounts. The attack leveraged Azure management tools for lateral movement and data exfiltration, emphasizing the risks of identity-driven cloud threats.
Technically - Storm-2949 initiated the attack via SSPR abuse and social engineering to enroll rogue MFA devices. Post-compromise, they used Microsoft Graph API for directory discovery, exfiltrated data from OneDrive/SharePoint, and exploited custom RBAC roles to access Azure Key Vault, Storage, and SQL databases. Azure VM extensions (VMAccess, Run Command) were abused to create backdoor accounts and deploy ScreenConnect for persistence. Defense evasion included disabling Microsoft Defender Antivirus and clearing forensic artifacts.
How Storm-2949 turned a compromised identity into a cloud-wide breach | Microsoft Security Blog
Storm-2949 turned stolen credentials into a cloud-wide breach, moving from identity compromise to large-scale data theft without using malware. This incident shows how threat actors can exploit trusted systems to operate undetected.