CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Storm-2949 leverages Microsoft Self-Service Password Reset to exfiltrate data from Azure and Microsoft 365 environments

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A newly identified threat actor, tracked as Storm-2949, is actively targeting Microsoft 365 and Azure production environments to exfiltrate sensitive data using legitimate applications and administration features. The actor employs social engineering to compromise privileged accounts, primarily by abusing the Microsoft Entra ID Self-Service Password Reset (SSPR) flow. After tricking victims into approving multi-factor authentication (MFA) prompts, the attacker resets passwords, removes MFA controls, and enrolls their own device in Authenticator. This enables persistent access to Microsoft 365 applications, including OneDrive and SharePoint, where VPN configurations and IT operational files are targeted for data theft. Storm-2949 subsequently pivots to Azure infrastructure, compromising identities with privileged RBAC roles to extract secrets from Key Vaults, Azure SQL databases, and Storage accounts, and to deploy remote access tools such as ScreenConnect. The actor also modifies firewall rules, creates rogue administrator accounts, and disables security protections to evade detection.

Timeline

  1. 19.05.2026 22:35 1 articles · 23h ago

    Storm-2949 compromises Azure and Microsoft 365 via SSPR abuse, exfiltrating data across cloud environments

    A threat actor identified as Storm-2949 has compromised Microsoft 365 and Azure production environments by abusing the Self-Service Password Reset (SSPR) flow. After tricking privileged users into approving MFA prompts through social engineering, the actor reset passwords, removed MFA controls, and enrolled their own device in Authenticator. The attacker then enumerated users, roles, and applications using Microsoft Graph API and custom Python scripts, accessed OneDrive and SharePoint for VPN configurations and IT files, and downloaded thousands of files in a single action. Storm-2949 pivoted to Azure, compromising privileged RBAC roles to extract secrets from Key Vaults, Azure SQL databases, and Storage accounts. They deployed remote access tools, modified firewall rules, created rogue administrator accounts, and attempted to disable Microsoft Defender protections to evade detection.

    Show sources
    Open in new tab

Information Snippets

  • Storm-2949 abuses the Microsoft Entra ID Self-Service Password Reset (SSPR) flow to reset targeted employee passwords, remove MFA controls, and enroll Microsoft Authenticator on attacker-controlled devices.

    First reported: 19.05.2026 22:35
    1 source, 1 article
    Show sources

  • The actor uses social engineering, posing as IT support staff, to trick privileged users into approving MFA prompts during the SSPR process.

    First reported: 19.05.2026 22:35
    1 source, 1 article
    Show sources

  • After account compromise, Storm-2949 leverages Microsoft Graph API and custom Python scripts to enumerate users, roles, applications, and service principals, assessing persistence opportunities.

    First reported: 19.05.2026 22:35
    1 source, 1 article
    Show sources

  • Attackers access OneDrive and SharePoint to search for VPN configurations and IT operational files, with evidence of downloading thousands of files in a single action via the OneDrive web interface.

    First reported: 19.05.2026 22:35
    1 source, 1 article
    Show sources

  • Storm-2949 compromises Azure RBAC roles with privileged access across multiple subscriptions, enabling the theft of secrets from Azure Key Vaults, Azure SQL databases, and Storage accounts.

    First reported: 19.05.2026 22:35
    1 source, 1 article
    Show sources

  • Compromised Azure App Service permissions are abused to deploy FTP, Web Deploy, and Kudu console, allowing remote file system browsing, environment variable inspection, and command execution within app contexts.

    First reported: 19.05.2026 22:35
    1 source, 1 article
    Show sources

  • Attackers modify Azure Key Vault access policies to steal dozens of secrets, including database credentials and connection strings, and alter firewall rules in Azure SQL and Storage to exfiltrate data via custom Python scripts.

    First reported: 19.05.2026 22:35
    1 source, 1 article
    Show sources

  • Storm-2949 uses Azure VM management features such as VMAccess and Run Command to create rogue administrator accounts, execute remote scripts, and steal credentials.

    First reported: 19.05.2026 22:35
    1 source, 1 article
    Show sources

  • The actor deploys ScreenConnect remote access tools, attempts to disable Microsoft Defender protections, and wipes forensic evidence in later attack stages.

    First reported: 19.05.2026 22:35
    1 source, 1 article
    Show sources