Microsoft Uncovers Sophisticated Cloud-Based Data Exfiltration Campaign by Storm-2949
Microsoft Threat Intelligence recently exposed a highly coordinated cyberattack by the threat actor Storm-2949, targeting a single organization’s cloud infrastructure to exfiltrate sensitive data. The campaign, which spanned Microsoft 365 applications, Azure-hosted production environments, and file-hosting services, demonstrated a shift in attacker tactics prioritizing identity compromise and control-plane access over traditional malware-based methods.
Attack Overview
Storm-2949 executed a two-phase assault, beginning with targeted identity compromise and escalating into a full-scale cloud infrastructure breach. The threat actor exploited legitimate Azure management features, blending malicious activity with expected administrative behavior to evade detection.
Phase 1: Identity Compromise via Social Engineering & SSPR Abuse
- Initial Access: Storm-2949 used social engineering to manipulate Microsoft’s Self-Service Password Reset (SSPR) process, tricking users including IT personnel and senior leadership into approving fraudulent MFA prompts.
- Persistence: After gaining access, the attacker removed existing MFA methods, enrolled their own device for Microsoft Authenticator, and locked out legitimate users.
- Discovery: Using Microsoft Graph API, the threat actor ran automated queries to enumerate users, applications, and privileged identities, identifying high-value targets.
Phase 2: Cloud Infrastructure Compromise & Data Exfiltration
- Microsoft 365 Exfiltration: Storm-2949 accessed OneDrive and SharePoint, downloading thousands of files including VPN configurations and remote access documents to facilitate lateral movement.
- Azure App Service & Key Vault Breach:
- The attacker exploited Azure RBAC permissions to retrieve publishing profiles from auxiliary web apps, gaining credentials for FTP, Web Deploy, and Kudu consoles.
- After failing to access the primary production app, they pivoted to Azure Key Vault, extracting database connection strings, credentials, and secrets ultimately compromising the target web app.
- Azure Storage & SQL Data Theft:
- Storm-2949 manipulated firewall rules to access Azure SQL databases and storage accounts, using SAS tokens and account keys to exfiltrate large volumes of data via custom Python scripts.
- Virtual Machine (VM) Compromise:
- The attacker deployed VMAccess extensions to create backdoor admin accounts and used Run Command to execute scripts, attempting token theft and credential harvesting.
- ScreenConnect was installed for remote access, with efforts to disable Microsoft Defender protections and obscure forensic traces.
Impact & Key Observations
- No Traditional Malware: Storm-2949 relied on legitimate cloud features, making detection harder by mimicking normal administrative activity.
- Identity-Centric Attack: The campaign underscored how compromised cloud identities can enable lateral movement and data exfiltration with minimal indicators of compromise.
- Defense Evasion: The threat actor cleared logs, manipulated configurations, and used RMM tools to maintain persistence while avoiding detection.
Microsoft’s Defender suite generated cross-domain alerts, correlating activity across endpoints, identities, and cloud environments to provide a unified view of the attack. The incident highlights the growing trend of cloud-focused threats, where attackers exploit misconfigured permissions, weak identity controls, and legitimate administrative tools to achieve their objectives.
(Indicators of compromise, including attacker IPs and ScreenConnect instances, were identified but not exhaustive.)
Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-threat-intelligence
"id": "mic1779164698",
"linkid": "microsoft-threat-intelligence",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'type': 'Organization'}],
'attack_vector': ['Social Engineering',
'Self-Service Password Reset (SSPR) Abuse',
'Microsoft Graph API Exploitation',
'Azure RBAC Exploitation',
'Azure Key Vault Compromise',
'Virtual Machine (VM) Compromise'],
'data_breach': {'data_exfiltration': True,
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['VPN configurations',
'Remote access documents',
'Database connection strings',
'Credentials',
'Secrets']},
'description': 'Microsoft Threat Intelligence recently exposed a highly '
'coordinated cyberattack by the threat actor Storm-2949, '
'targeting a single organization’s cloud infrastructure to '
'exfiltrate sensitive data. The campaign spanned Microsoft 365 '
'applications, Azure-hosted production environments, and '
'file-hosting services, demonstrating a shift in attacker '
'tactics prioritizing identity compromise and control-plane '
'access over traditional malware-based methods.',
'impact': {'data_compromised': 'Thousands of files including VPN '
'configurations, remote access documents, '
'database connection strings, credentials, and '
'secrets',
'identity_theft_risk': 'High (compromised identities and '
'credentials)',
'operational_impact': 'Lateral movement within cloud '
'infrastructure, unauthorized remote access, '
'and data exfiltration',
'systems_affected': ['Microsoft 365 (OneDrive, SharePoint)',
'Azure App Service',
'Azure Key Vault',
'Azure SQL Databases',
'Azure Storage Accounts',
'Virtual Machines']},
'initial_access_broker': {'backdoors_established': ['Microsoft Authenticator '
'enrollment',
'Backdoor admin accounts '
'via VMAccess extensions'],
'entry_point': 'Social Engineering (SSPR Abuse)',
'high_value_targets': ['IT personnel',
'Senior leadership']},
'lessons_learned': 'The incident highlights the growing trend of '
'cloud-focused threats, where attackers exploit '
'misconfigured permissions, weak identity controls, and '
'legitimate administrative tools to achieve their '
'objectives. Identity-centric attacks can enable lateral '
'movement and data exfiltration with minimal indicators of '
'compromise.',
'motivation': 'Data Exfiltration',
'post_incident_analysis': {'root_causes': ['Identity compromise via social '
'engineering',
'Exploitation of legitimate cloud '
'administrative tools',
'Misconfigured Azure RBAC '
'permissions']},
'references': [{'source': 'Microsoft Threat Intelligence'}],
'response': {'enhanced_monitoring': 'Microsoft Defender suite generated '
'cross-domain alerts'},
'threat_actor': 'Storm-2949',
'title': 'Microsoft Uncovers Sophisticated Cloud-Based Data Exfiltration '
'Campaign by Storm-2949',
'type': 'Data Exfiltration',
'vulnerability_exploited': ['Misconfigured Azure RBAC permissions',
'Weak identity controls',
'Legitimate cloud administrative tools']}