**Storm-2949**'s primary objective is to steal as much sensitive data as possible from targeted organizations' high-value assets within **Microsoft 365** and **Azure** environments. The attacks involve a multi-stage process, starting with social engineering and culminating in data exfiltration from various cloud services. ### Initial Access via Credential Theft The attack chain begins with social engineering tactics targeting users with privileged roles, such as IT personnel or senior leadership. **Storm-2949** aims to obtain their **Microsoft Entra ID** credentials, granting them access to data within **Microsoft 365** applications. The attacker abused the Self-Service Password Reset (SSPR) flow, initiating password resets for targeted accounts and tricking victims into approving multi-factor authentication (MFA) prompts. To enhance the deception, attackers impersonate IT support staff, creating a sense of urgency and legitimacy. They then reset the password, remove existing MFA controls, and enroll **Microsoft Authenticator** on their own device. ### Exploiting Microsoft 365 Applications With compromised accounts, **Storm-2949** leverages the **Microsoft Graph API** and custom Python scripts to enumerate users, roles, applications, and service principals. This reconnaissance phase helps them identify long-term persistence opportunities. They then access **OneDrive** and **SharePoint** within **Microsoft 365**, searching for VPN configurations, IT operational files, and remote access details for lateral movement. According to **Microsoft**, the attackers used the **OneDrive** web interface to download thousands of files in a single action. This data theft pattern was repeated across compromised user accounts to maximize the reach of stolen information. ### Pivoting to Azure Infrastructure **Storm-2949** extends its reach to the victim's **Azure** infrastructure, targeting virtual machines, storage accounts, key vaults, app services, and SQL databases. The attackers compromised multiple identities with privileged custom **Azure** role-based access control (RBAC) roles on multiple **Azure** subscriptions. This access allowed them to extract sensitive assets from production-based **Azure** subscriptions. By exploiting the compromised user's privileged **Azure RBAC** permissions, **Storm-2949** obtained credentials to deploy FTP, Web Deploy, and the Kudu console for managing **Azure App Services**. This access enabled them to browse the file system, check environment variables, and execute commands remotely within the app's context. The attackers then targeted **Azure Key Vaults**, modifying access settings and stealing numerous secrets, including database credentials and connection strings. They also targeted **Azure SQL** servers and Storage accounts by changing firewall and network access rules, retrieving storage keys and SAS tokens, and exfiltrating data using custom Python scripts. **Azure VM** management features such as **VMAccess** and **Run Command** were abused to create rogue administrator accounts, execute remote scripts, and steal credentials. In the later stages, **Storm-2949** deployed the **ScreenConnect** remote access tool on compromised systems, attempted to disable **Microsoft Defender** protections, and wiped forensic evidence. .jpg) *Source: Microsoft* ### Mitigation Strategies **Microsoft** recommends security hardening and best practices to defend against **Storm-2949** attacks, including: * Adopting the principle of least privilege. * Enabling conditional access policies. * Adding MFA protection for all users. * Ensuring phishing-resistant MFA for users with privileged roles. To protect cloud resources, **Microsoft** advises: * Limiting **Azure RBAC** permissions. * Keeping **Azure Key Vault** logs for up to a year. * Reducing access to **Key Vault**. * Restricting public access to **Key Vaults**. * Using data protection options in **Azure Storage**. * Monitoring for high-risk **Azure** management operations. Microsoft's report provides indicators of compromise for the observed attacks along with extensive mitigation and protection guidance. ## [The Validation Gap: Automated Pentesting Answers One Question. You Need Six.](https://hubs.li/Q048zztN0) Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold. This guide covers the 6 surfaces you actually need to validate. [Download Now](https://hubs.li/Q048zztN0)