Microsoft has disclosed an active cloud intrusion campaign by a threat actor it tracks as Storm-2949, which abuses compromised Microsoft Entra ID identities to exfiltrate data from Microsoft 365 and Azure environments. Initial access was obtained through social-engineering of high-value users into approving MFA prompts during Self-Service Password Reset flows, after which the attackers reset passwords, registered their own MFA devices, and locked out legitimate users. With privileged Entra ID access, Storm-2949 pivoted into Azure to abuse RBAC permissions against App Services, Key Vaults, Storage accounts, and SQL databases, including retrieving web app publishing profiles, modifying Key Vault access policies to extract secrets, and altering SQL firewall and storage settings to enable bulk data exfiltration. The actor also abused the Azure Instance Metadata Service for token theft, deployed ScreenConnect on Azure VMs via the VMAccess extension and Run Command, and attempted to disable Defender and clear logs. No CVE is involved; the campaign relies on legitimate cloud management features, so defenders are advised to harden SSPR and MFA approval workflows, tighten RBAC and Key Vault access policies, and monitor identity, cloud, and endpoint signals together.
- Hackers Exploit Entra ID Accounts to Steal Microsoft 365, Azure (opens in a new tab)
- Microsoft Exposes Storm-2949 Azure And M365 Breach(opens in a new tab)
- Hackers Abuse Microsoft Entra ID Accounts to Exfiltrate Microsof(opens in a new tab)
- Hackers Exploit Azure RBAC to Steal Key Vault Secrets(opens in a new tab)