At a glance: The threat group Storm-2949 conducts targeted attacks on Microsoft 365 and Azure by abusing the Self-Service Password Reset system, gaining access to sensitive data with stolen credentials, and exfiltrating it across various Azure services.
A threat group called Storm-2949 is conducting targeted attacks on Microsoft 365 and Azure environments. The attackers use social engineering and the Self-Service Password Reset (SSPR) system to gain access to highly privileged accounts and steal large volumes of data.
Microsoft has documented an attack campaign by the threat group Storm-2949 that specifically targets organizations with Microsoft 365 and Azure infrastructure. The attackers’ stated objective is to extract as much sensitive data as possible from the target organization’s critical systems.
The attackers use social engineering to target users with privileged roles – such as IT staff or executives. They initiate a password reset process for the target account, then manipulate the victim into approving multi-factor authentication requests by impersonating an IT support employee who needs to perform an urgent account verification. After successfully hijacking the account, the attackers disable MFA controls and install Microsoft Authenticator on their devices.
After account takeover, Storm-2949 actors use the Microsoft Graph API and custom Python scripts to enumerate users, roles, applications, and service principals. They also probe for opportunities for long-term persistence. The attackers then search OneDrive and SharePoint for VPN configurations and IT operations files to obtain information for lateral movement from the cloud system to the endpoint network. In one case, the attackers downloaded thousands of files in a single batch via the OneDrive web interface to their own infrastructure.
The attackers later expand their activities to the victim’s Azure infrastructure, including virtual machines, storage accounts, Key Vaults, App Services, and SQL databases. They use compromised identities with privileged custom Azure RBAC roles to access sensitive assets in production Azure subscriptions. Using the stolen credentials, they deploy FTP, Web Deploy, and the Kudu console for managing Azure App Services, which enables them to browse the file system and execute commands remotely.
Storm-2949 also modifies the access settings of Azure Key Vaults and steals numerous secrets, including database credentials and connection strings. The attackers also change firewall and network access rules on Azure SQL servers and storage accounts to extract storage keys and SAS tokens. They also leverage Azure VM management functions such as VMAccess and Run Command to create rogue administrator accounts and steal credentials. In later phases, the attackers deploy the remote access tool ScreenConnect and attempt to disable Microsoft Defender protections.