Storm-2949 Exploits Microsoft Entra ID in Large-Scale Cloud Data Theft Campaign
A sophisticated cloud attack campaign by the threat actor Storm-2949 has targeted Microsoft Entra ID accounts, enabling large-scale data theft from Microsoft 365 and Azure environments without relying on traditional malware. The campaign, uncovered recently, highlights a shift in attacker tactics abusing legitimate cloud management tools to infiltrate and exfiltrate sensitive data across SaaS, PaaS, and IaaS layers.
Attack Execution
Storm-2949 gained initial access through social engineering, exploiting Microsoft’s Self-Service Password Reset process. Attackers impersonated IT support staff, tricking users into approving fraudulent multi-factor authentication (MFA) prompts. Once approved, they reset passwords, removed existing authentication methods, and registered their own devices, locking out legitimate users.
After establishing a foothold, the attackers used custom Python scripts and Microsoft Graph API queries to enumerate privileged accounts. They then targeted OneDrive and SharePoint, bulk-downloading sensitive files, including VPN configurations and remote access procedures.
Azure Compromise & Lateral Movement
With compromised accounts holding privileged Azure RBAC permissions, Storm-2949 moved into Azure environments, targeting:
- Key Vaults (extracting database credentials and secrets)
- Storage accounts (manipulating access settings to generate Shared Access Signature tokens)
- SQL databases (altering firewall rules to enable unauthorized access)
- Azure Virtual Machines (deploying VMAccess extensions to create backdoor admin accounts and installing ScreenConnect after disabling Microsoft Defender)
The attackers exfiltrated large volumes of data over several days, then cleared Windows event logs and removed forensic artifacts to evade detection.
Impact & Indicators of Compromise (IoCs)
The campaign demonstrates how threat actors now prioritize cloud identities and control-plane access over device-level exploits. Microsoft’s report confirms the attackers’ focus on high-value assets, including IT staff and senior leadership accounts, suggesting prior reconnaissance.
Known IoCs:
- IP Addresses:
176.123.4[.]4491.208.197[.]87185.241.208[.]243(ScreenConnect infrastructure)Source: https://cybersecuritynews.com/hackers-abuse-microsoft-entra-id-accounts/
Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-entra
"id": "mic1779208971",
"linkid": "microsoft-entra",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'type': 'Organizations using Microsoft Entra ID, '
'Microsoft 365, and Azure'}],
'attack_vector': ['Social Engineering',
'MFA Exploitation',
'Microsoft Graph API Abuse'],
'data_breach': {'data_exfiltration': 'Yes',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['VPN configurations',
'Remote access procedures',
'Database credentials',
'Secrets',
'Storage account access settings',
'SQL database data']},
'description': 'A sophisticated cloud attack campaign by the threat actor '
'Storm-2949 has targeted Microsoft Entra ID accounts, enabling '
'large-scale data theft from Microsoft 365 and Azure '
'environments without relying on traditional malware. The '
'campaign abused legitimate cloud management tools to '
'infiltrate and exfiltrate sensitive data across SaaS, PaaS, '
'and IaaS layers.',
'impact': {'data_compromised': 'Sensitive files (VPN configurations, remote '
'access procedures), database credentials, '
'secrets, storage account access settings, SQL '
'databases, Azure VM backdoor accounts',
'identity_theft_risk': 'High (privileged account compromise)',
'operational_impact': 'Unauthorized access to cloud environments, '
'data exfiltration, forensic artifact '
'removal',
'systems_affected': ['Microsoft 365',
'Azure (Key Vaults, Storage Accounts, SQL '
'Databases, Virtual Machines)',
'OneDrive',
'SharePoint']},
'initial_access_broker': {'backdoors_established': 'Azure VM backdoor admin '
'accounts, ScreenConnect '
'installation',
'entry_point': 'Social Engineering (MFA '
'Exploitation)',
'high_value_targets': ['IT staff',
'Senior leadership accounts'],
'reconnaissance_period': 'Likely (targeting '
'high-value accounts)'},
'lessons_learned': 'Threat actors prioritize cloud identities and '
'control-plane access over device-level exploits. '
'High-value assets like IT staff and senior leadership '
'accounts are prime targets, indicating prior '
'reconnaissance.',
'motivation': 'Data Theft',
'post_incident_analysis': {'root_causes': ['Exploitation of Microsoft Entra '
'ID Self-Service Password Reset '
'Process',
'MFA fatigue attacks',
'Abuse of legitimate cloud '
'management tools']},
'references': [{'source': 'Microsoft Report'}],
'threat_actor': 'Storm-2949',
'title': 'Storm-2949 Exploits Microsoft Entra ID in Large-Scale Cloud Data '
'Theft Campaign',
'type': 'Cloud Data Theft',
'vulnerability_exploited': 'Microsoft Entra ID Self-Service Password Reset '
'Process'}