Find notable cyber news and cases, enriched with sources, timelines, and signals.

Storm-2949 Microsoft 365 and Azure data-theft campaign

Campaign
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

The Storm-2949 campaign is targeting Microsoft 365 and Azure production environments to steal sensitive data, increasing the risk of privileged-account takeover and cloud asset loss. Attackers are using social engineering and Self-Service Password Reset (SSPR) abuse to capture Microsoft Entra ID credentials, then expanding into mail, file, and Azure services. The operation matters because it combines account hijacking, persistence, and large-scale exfiltration from high-value cloud resources.

Related Happenings

Microsoft Azure CLI password-spray campaign using ROPC

Campaign
H score24 First: 01.07.2026 08:46 Last: 01.07.2026 08:46 Sources 1

About this happening: A **massive automated password-spray campaign** against **Microsoft Azure CLI** compromised **at least 78 accounts** across **64 organizations**, expanding access risk across clou...

Kali365 Microsoft 365 device-code phishing campaign

Campaign
H score46 First: 25.05.2026 15:45 Last: 25.05.2026 15:45 Sources 1

About this happening: A **Kali365** phishing campaign is targeting **Microsoft 365** environments worldwide with **device-code login lures**, putting accounts at risk of **token theft** and **MFA bypas...

Fox Tempest's malware-signing service scales trusted-signed malware for ransomware gangs

Threat Actor Meta
H score26 First: 20.05.2026 00:47 Last: 20.05.2026 00:47 Sources 1

About this happening: Microsoft disrupted **Fox Tempest**'s **malware-signing service** in **May 2026**, cutting off a criminal platform that helped ransomware gangs and other cybercriminals obtain tru...

Storm-1175 high-velocity exploit campaign

Campaign
H score59 First: 06.04.2026 19:56 Last: 06.04.2026 19:56 Sources 1

About this happening: **Storm-1175** is running a **high-velocity exploit campaign** that rapidly turns access into **Medusa ransomware** deployment, creating risk of **data exfiltration** and encrypte...

Storm infostealer server-side decryption activity

Malware Activity
H score18 First: 02.04.2026 17:15 Last: 02.04.2026 17:15 Sources 1

About this happening: The **Storm** infostealer now steals **browser credentials**, **session cookies**, and **crypto wallets** and forwards them to attacker infrastructure for **server-side decryption...

Timeline

  1. 19.05.2026 22:35 2 articles · 1mo ago

    Microsoft discloses Storm-2949 cloud data-theft campaign

    Initial Disclosure

    Microsoft disclosed that Storm-2949 is targeting Microsoft 365 and Azure production environments with social engineering and abuse of the Self-Service Password Reset (SSPR) flow to obtain Microsoft Entra ID credentials, hijack privileged accounts, and steal sensitive data from high-value cloud assets. The activity included Microsoft Graph API enumeration, custom Python scripts, downloading thousands of files from OneDrive, searching SharePoint for VPN configurations and IT operational files, expanding into Azure Key Vaults, Azure SQL servers, Storage accounts, app services, and virtual machines, and later deploying ScreenConnect while attempting to disable Microsoft Defender protections and wipe forensic evidence.

    Show sources