Storm-2949 is stealing sensitive data from Microsoft 365 and Azure production environments by abusing legitimate administration features and social engineering privileged users. Microsoft says the group used compromised Entra ID accounts, Azure RBAC permissions, and cloud management tools to extract secrets, files, and credentials from victim organizations. #Storm-2949 #Microsoft365 #Azure #MicrosoftEntraID #MicrosoftGraphAPI #AzureKeyVault #MicrosoftDefender #ScreenConnect
Keypoints
- Storm-2949 targets Microsoft 365 and Azure production environments to exfiltrate sensitive data.
- The attackers use social engineering and SSPR abuse to steal Microsoft Entra ID credentials.
- Compromised accounts are used to enumerate users, roles, apps, and service principals via Microsoft Graph API.
- The group pivots into Azure resources, stealing secrets from Key Vaults and data from SQL, Storage, and VMs.
- Microsoft recommends least privilege, conditional access, phishing-resistant MFA, and tighter Azure monitoring.