Microsoft has revealed details of a sophisticated cloud-focused attack campaign where hackers abused compromised Microsoft Entra ID accounts to move across entire cloud environments, stealing sensitive data from Microsoft 365, Azure storage, Key Vaults, and production systems, largely by abusing legitimate cloud features instead of relying on traditional malware. The threat group behind the operation, tracked as Storm-2949, turned a single identity compromise into a full-scale cloud breach.
For years, cybersecurity was built around one core assumption: protect the device, and you protect the network. Storm-2949 just showed how outdated that assumption has become.
According to Microsoft’s latest threat intelligence report, the attackers didn’t rely on ransomware, exploit kits, or noisy malware payloads. Instead, they focused on something far more valuable in today’s cloud-first world: identity. Specifically, Microsoft Entra ID accounts, the digital keys that quietly connect employees to everything from email and file storage to cloud infrastructure and production environments. And once they got in, they barely needed to “hack” at all.
Microsoft says the campaign unfolded in two major phases. First came identity compromise through highly targeted social engineering attacks. Then came the cloud infrastructure takeover phase, where attackers pivoted into Azure environments, production systems, storage services, and secrets management platforms.
The victims were not random employees. Microsoft says Storm-2949 deliberately targeted IT personnel, administrators, privileged users, and senior leadership accounts likely to have broad organizational access.
The campaign reportedly began with attackers abusing Microsoft’s Self-Service Password Reset (SSPR) workflow. Posing as internal IT support staff, they convinced employees to approve MFA prompts during fake “verification” calls. Once approved, the attackers reset passwords, removed existing authentication methods, and registered their own devices as trusted MFA authenticators, effectively locking legitimate users out while giving themselves persistent access.
No malware popups. No suspicious downloads. Just trust, manipulated carefully.
From there, Storm-2949 moved with remarkable precision. Using legitimate Microsoft Graph API requests, the attackers mapped users, roles, and service principals inside Entra ID, identifying privileged accounts and high-value targets. Then came the expansion phase: OneDrive, SharePoint, Azure subscriptions, Key Vaults, SQL databases, storage accounts, Azure App Services, and even production application environments.
And the most unsettling part? Much of it looked like normal administrative activity. Microsoft says the attackers heavily abused legitimate cloud management features rather than deploying custom malware. They modified firewall rules, extracted secrets from Key Vaults, listed storage account keys, enabled temporary public access to sensitive resources, and abused Azure deployment publishing profiles to retrieve credentials tied to connected applications and cloud services, all while blending into expected cloud behavior.
This is what modern cyberattacks are becoming: not breaking systems, but borrowing permissions. The group also leveraged tools like ScreenConnect and Azure VM Run Command features to move laterally and harvest credentials from virtual machines. But unlike traditional intrusions, the endpoint systems themselves were often just stepping stones toward cloud data and privileged infrastructure.
Microsoft says the attackers even attempted to establish deeper persistence by adding credentials to compromised service principals. In at least one case, the move reportedly failed because of insufficient permissions, highlighting how least-privilege controls can still slow attackers down even after an account is compromised.
The attackers also reportedly stole storage account keys and Shared Access Signature (SAS) tokens, then used custom Python scripts built on Azure SDKs to automate large-scale data collection and exfiltration. Microsoft says the activity continued across multiple days, with the attackers switching between secret-based and OAuth authentication methods as defenders responded.
That shift matters. Because organizations spent years preparing for malware-driven attacks, while attackers quietly adapted to something else entirely: identity-driven compromise, if an attacker already has trusted credentials and MFA access, many traditional defenses become far less effective.
The operation also highlights a broader reality about modern cloud infrastructure. One compromised identity no longer affects just email or files. In highly connected enterprise environments, it can become a bridge into storage systems, applications, developer infrastructure, secrets management platforms, and production workloads all at once.
And that’s exactly what Storm-2949 exploited. Security researchers are already calling the campaign a textbook example of “living off the land” in cloud environments, where attackers abuse the same legitimate tools administrators use every day. But the bigger concern is that this wasn’t just identity theft. It was a control-plane compromise, where attackers manipulated the very cloud management layer organizations depend on to operate securely.
Microsoft has since urged organizations to deploy phishing-resistant MFA protections, restrict privileged access, harden Azure configurations, enforce least-privilege access models, and closely monitor identity behavior instead of relying only on endpoint alerts. The company also emphasized the importance of correlating signals across identities, cloud infrastructure, endpoints, and SaaS applications to detect attacks that otherwise appear legitimate.
Caught feelings for cybersecurity? It’s okay, it happens. Follow us on LinkedIn and Instagram to keep the spark alive.
