Storm-2949 Abuses Microsoft Self-Service Password Reset to Steal Azure Data
Microsoft warns that threat actor Storm-2949 is abusing Self-Service Password Reset and legitimate admin tools to steal sensitive data from Azure and Microsoft 365 environments.
Microsoft has issued a detailed warning about a threat actor tracked as Storm-2949 that is abusing Microsoft's Self-Service Password Reset (SSPR) feature to hijack privileged accounts and exfiltrate data from Azure and Microsoft 365 environments. According to Microsoft, the attackers' objective is "to exfiltrate as much sensitive data from a target organization's high-value assets as possible." The campaign is ongoing and demonstrates how legitimate applications and administration features can be weaponized to bypass security controls.
The attack chain begins with social engineering. Storm-2949 targets users with privileged roles, such as IT personnel or senior leadership, to obtain their Microsoft Entra ID credentials. Once credentials are compromised, the actor abuses the SSPR flow by initiating a password reset for the targeted employee and tricking the victim into approving multi-factor authentication (MFA) prompts. To make the ruse more convincing, the hacker poses as an IT support employee requesting urgent account verification. After the victim approves the MFA prompt, the attacker resets the password, removes existing MFA controls, and enrolls Microsoft Authenticator on their own device, gaining full control of the account.
With the hijacked account, Storm-2949 uses the Microsoft Graph API and custom Python scripts to enumerate users, roles, applications, and service principals. The actor then accesses OneDrive and SharePoint in Microsoft 365, searching for VPN configurations and IT operational files that could enable lateral movement from the cloud into the endpoint network. Microsoft observed one instance where Storm-2949 used the OneDrive web interface to download thousands of files in a single action. "This pattern of data theft was repeated across all compromised user accounts, likely because different identities had access to different folders and shared directories," Microsoft stated in its advisory.
Storm-2949 expanded the attack to the victim's Azure infrastructure, targeting virtual machines, storage accounts, key vaults, app services, and SQL databases. The actor compromised multiple identities with privileged custom Azure role-based access control (RBAC) roles, allowing them to uncover and extract the most sensitive assets in production Azure subscriptions. By leveraging these permissions, the attacker obtained credentials to deploy FTP, Web Deploy, and the Kudu console for managing Azure App services. From there, the actor browsed file systems, checked environment variables, and executed commands remotely within the app's context.
The attackers then pivoted to Azure Key Vaults, where they modified access settings and stole dozens of secrets, including database credentials and connection strings. Azure SQL servers and Storage accounts were also targeted: Storm-2949 changed firewall and network access rules, retrieved storage keys and SAS tokens, and exfiltrated data using custom Python scripts. Azure VM management features such as VMAccess and Run Command were abused to create rogue administrator accounts, execute remote scripts, and steal credentials. In the later stages, the actor deployed the ScreenConnect remote access tool on compromised systems, attempted to disable Microsoft Defender protections, and wiped forensic evidence.
Microsoft uses the Storm designation as a temporary label for new, emerging, or developing threat activity. To defend against Storm-2949 attacks, Microsoft recommends adopting the principle of least privilege, enabling conditional access policies, requiring MFA for all users, and ensuring phishing-resistant MFA for users with privileged roles. For cloud resources, the company advises limiting Azure RBAC permissions, keeping Azure Key Vault logs for up to a year, reducing and restricting public access to Key Vaults, using data protection options in Azure Storage, and monitoring for high-risk Azure management operations. Microsoft's full report provides extensive mitigation guidance and indicators of compromise.
Microsoft's latest report on Storm-2949 provides a detailed attack chain, revealing that the threat actor used a custom Python script to enumerate users and applications via Microsoft Graph API, and added credentials to a compromised service principal for persistence. The attackers also leveraged ScreenConnect for post-compromise activity, moving laterally across cloud and endpoint environments while blending into expected administrative behavior. Microsoft has released IOCs and Defender XDR detection guidance to help organizations defend against this identity-driven cloud compromise.