Storm-2949 Microsoft 365 and Azure data-theft campaign
Campaign
Summary
Hide ▲
Show ▼
The Storm-2949 campaign is targeting Microsoft 365 and Azure production environments to steal sensitive data, increasing the risk of privileged-account takeover and cloud asset loss. Attackers are using social engineering and Self-Service Password Reset (SSPR) abuse to capture Microsoft Entra ID credentials, then expanding into mail, file, and Azure services. The operation matters because it combines account hijacking, persistence, and large-scale exfiltration from high-value cloud resources.
Related Happenings
Kali365 Microsoft 365 device-code phishing campaign
Campaign
First: 25.05.2026 15:45
Last: 25.05.2026 15:45
Sources 1
About this happening:
A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Kali365 Microsoft 365 device-code phishing campaign
CampaignAbout this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor Meta
First: 20.05.2026 00:47
Last: 20.05.2026 00:47
Sources 1
About this happening:
Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs
Threat Actor MetaAbout this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...
Storm-1175 high-velocity exploit campaign
Campaign
First: 06.04.2026 19:56
Last: 06.04.2026 19:56
Sources 1
About this happening:
**Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
Storm-1175 high-velocity exploit campaign
CampaignAbout this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...
Storm infostealer server-side decryption activity
Malware Activity
First: 02.04.2026 17:15
Last: 02.04.2026 17:15
Sources 1
About this happening:
The **Storm** infostealer now steals **browser credentials**, **session cookies**, and **crypto wallets** and forwards them to attacker infrastructure for **server-side decryption...
Storm infostealer server-side decryption activity
Malware ActivityAbout this happening: The **Storm** infostealer now steals **browser credentials**, **session cookies**, and **crypto wallets** and forwards them to attacker infrastructure for **server-side decryption...
2025 Rise in legitimate-access intrusions across enterprise sectors
Target Trend
First: 01.04.2026 17:05
Last: 01.04.2026 17:05
Sources 1
About this happening:
**Legitimate access abuse** is now a leading intrusion pattern across **2025** investigations, increasing the risk of stealthy compromise across **manufacturing, healthcare, MSPs,...
2025 Rise in legitimate-access intrusions across enterprise sectors
Target TrendAbout this happening: **Legitimate access abuse** is now a leading intrusion pattern across **2025** investigations, increasing the risk of stealthy compromise across **manufacturing, healthcare, MSPs,...
Timeline
-
19.05.2026 22:35 2 articles · 8d ago
Microsoft discloses Storm-2949 cloud data-theft campaign
Initial DisclosureMicrosoft disclosed that Storm-2949 is targeting Microsoft 365 and Azure production environments with social engineering and abuse of the Self-Service Password Reset (SSPR) flow to obtain Microsoft Entra ID credentials, hijack privileged accounts, and steal sensitive data from high-value cloud assets. The activity included Microsoft Graph API enumeration, custom Python scripts, downloading thousands of files from OneDrive, searching SharePoint for VPN configurations and IT operational files, expanding into Azure Key Vaults, Azure SQL servers, Storage accounts, app services, and virtual machines, and later deploying ScreenConnect while attempting to disable Microsoft Defender protections and wipe forensic evidence.
Show sources
- Microsoft Self-Service Password Reset abused in Azure data theft attacks — www.bleepingcomputer.com — 19.05.2026 22:35
- Microsoft Self-Service Password Reset abused in Azure data theft attacks — www.bleepingcomputer.com — 19.05.2026 22:35