Large enterprise with multiple subsidiaries hit by ransomware attack
Incident
Summary
Hide ▲
Show ▼
Storm-0501 carried out a cloud-based ransomware intrusion against a large enterprise with multiple subsidiaries, turning hybrid identity gaps into destructive impact. The actor moved from on-premises systems into Microsoft Azure, escalated privileges, and exfiltrated data before mass-deleting Azure resources. It then attempted cloud-based encryption with a new Azure Key Vault and customer-managed key, which blocked recovery and remediation. The operation ended with a ransom demand sent over Microsoft Teams.
Related Happenings
Microsoft Teams cross-tenant Defender blind spot security flaw
Vulnerability
First: 28.11.2025 10:33
Last: 28.11.2025 10:33
Sources 1
About this happening:
**Microsoft Teams** has a **cross-tenant Defender blind spot** where **guest invitations** can move chats outside an organization’s protection boundary, creating **phishing** and...
Microsoft Teams cross-tenant Defender blind spot security flaw
VulnerabilityAbout this happening: **Microsoft Teams** has a **cross-tenant Defender blind spot** where **guest invitations** can move chats outside an organization’s protection boundary, creating **phishing** and...
Microsoft Azure hit by cyberattack linked to Aisuru botnet
Incident
First: 17.11.2025 19:13
Last: 17.11.2025 19:13
Sources 1
About this happening:
**Microsoft Azure** was hit by a **15.72 Tbps DDoS attack**, disrupting a public-facing target in **Australia** and underscoring the scale of the ongoing botnet threat. The flood...
Microsoft Azure hit by cyberattack linked to Aisuru botnet
IncidentAbout this happening: **Microsoft Azure** was hit by a **15.72 Tbps DDoS attack**, disrupting a public-facing target in **Australia** and underscoring the scale of the ongoing botnet threat. The flood...
Vanilla Tempest late-September Microsoft Teams malvertising campaign
Campaign
First: 16.10.2025 19:58
Last: 16.10.2025 19:58
Sources 1
About this happening:
The **late September 2025** **Vanilla Tempest** campaign used **SEO poisoning** and **malvertising** to push fake **Microsoft Teams** installers, including **MSTeamsSetup.exe**, t...
Vanilla Tempest late-September Microsoft Teams malvertising campaign
CampaignAbout this happening: The **late September 2025** **Vanilla Tempest** campaign used **SEO poisoning** and **malvertising** to push fake **Microsoft Teams** installers, including **MSTeamsSetup.exe**, t...
Latest development: 20.10.2025 13:00
Microsoft Threat Intelligence revoked over 200 certificates fraudulently signed by Vanilla Tempest and used in fake MS Teams setup files to deliver the Oyster backdoor and Rhysida ransomware. Microsoft also said the group used Trusted Signing, SSL[.]com, DigiCert, and GlobalSign to sign fake installers and post-compromise tools, and that fully enabled Microsoft Defender Antivirus blocks this threat.
Microsoft Azure Front Door outage affecting Microsoft 365 access
Service Disruption
First: 09.10.2025 15:38
Last: 09.10.2025 15:38
Sources 1
About this happening:
Microsoft is mitigating a **Microsoft Azure Front Door** outage that is blocking access to **Microsoft 365 services** and related portals. The disruption began around **07:40 UTC...
Microsoft Azure Front Door outage affecting Microsoft 365 access
Service DisruptionAbout this happening: Microsoft is mitigating a **Microsoft Azure Front Door** outage that is blocking access to **Microsoft 365 services** and related portals. The disruption began around **07:40 UTC...
Azure AD Graph API authentication failure security flaw (CVE-2025-55241)
Vulnerability
First: 19.09.2025 16:47
Last: 19.09.2025 16:47
Sources 1
About this happening:
**CVE-2025-55241** is a **critical** token validation failure in **Microsoft Entra ID** and the legacy **Azure AD Graph API** that could let an attacker impersonate users, includi...
Azure AD Graph API authentication failure security flaw (CVE-2025-55241)
VulnerabilityAbout this happening: **CVE-2025-55241** is a **critical** token validation failure in **Microsoft Entra ID** and the legacy **Azure AD Graph API** that could let an attacker impersonate users, includi...
Timeline
-
27.08.2025 19:00 1 articles · 9mo ago
Microsoft discloses Storm-0501 cloud-based ransomware attack
Initial DisclosureMicrosoft published research on 2025-08-27 about Storm-0501, a ransomware actor active since 2021, describing a cloud-based ransomware intrusion against a large enterprise with multiple subsidiaries. The campaign exploited weak identity controls and visibility gaps across Microsoft Azure and Microsoft Entra ID tenants, moved from on-premises systems through Entra Connect Sync into a second tenant, used AzureHound for reconnaissance, bypassed Conditional Access by finding a non-human Global Administrator without MFA, then exfiltrated data, mass-deleted Azure resources, and demanded a ransom over Microsoft Teams. Microsoft also said it recently changed Microsoft Entra ID permissions on the Directory Synchronization Accounts (DSA) role in Entra Connect Sync and Entra Cloud Sync to reduce similar privilege escalation.
Show sources
- Storm-0501 Hits Enterprise With 'Cloud-Based Ransomware' Attack — www.darkreading.com — 27.08.2025 19:00