Attack Methodology
A threat actor called Storm 2949 has been conducting a sophisticated cloud attack campaign that targets Microsoft Entra ID accounts to steal sensitive data from Microsoft 365 and Azure environments. The attackers gained initial access through a social engineering technique that abused Microsoft’s Self Service Password Reset process. By impersonating internal IT support staff, they tricked users into approving fraudulent multi factor authentication prompts, effectively handing over full account control. Once approved, the attackers reset the account password, removed existing authentication methods, and registered their own device as a new authenticator, giving them persistent access.
Impact and Scope
The campaign did not rely on traditional malware or device level exploits. Instead, the attackers used legitimate Microsoft cloud management tools and administrative features to silently move through an organization’s entire cloud infrastructure. Sensitive files, database credentials, application secrets, and stored data were all exfiltrated. Microsoft reported that Storm 2949 targeted IT staff and senior leadership deliberately, showing signs of prior reconnaissance. The attack spanned Microsoft 365 applications, file hosting services, and Azure hosted production environments, affecting SaaS, PaaS, and IaaS layers. This incident highlights a shift where attackers focus on cloud identities and control plane access to blend with expected administrative behavior and avoid detection.
Source: Cyber Security News
