// Alert

Microsoft Azure threat report

Microsoft has disclosed an active cloud intrusion campaign by a threat actor it tracks as Storm-2949, which abuses compromised Microsoft Entra ID identities to exfiltrate data from Microsoft 365 and Azure environments. Initial access was obtained through social-engineering of high-value users into approving MFA prompts during Self-Service Password Reset flows, after which the attackers reset passwords, registered their own MFA devices, and locked out legitimate users. With privileged Entra ID access, Storm-2949 pivoted into Azure to abuse RBAC permissions against App Services, Key Vaults, Storage accounts, and SQL databases, including retrieving web app publishing profiles, modifying Key Vault access policies to extract secrets, and altering SQL firewall and storage settings to enable bulk data exfiltration. The actor also abused the Azure Instance Metadata Service for token theft, deployed ScreenConnect on Azure VMs via the VMAccess extension and Run Command, and attempted to disable Defender and clear logs. No CVE is involved; the campaign relies on legitimate cloud management features, so defenders are advised to harden SSPR and MFA approval workflows, tighten RBAC and Key Vault access policies, and monitor identity, cloud, and endpoint signals together.

// Get alerts for Microsoft Azure