Microsoft Uncovers Storm-0249’s Cloud-Based Data Exfiltration Attack Targeting Azure and Microsoft 365
Microsoft Threat Intelligence has exposed a sophisticated cyberattack by the threat actor Storm-0249, which leveraged legitimate cloud tools and Azure role-based access control (RBAC) to exfiltrate sensitive data from Microsoft 365 and Azure environments.
The attack began with highly targeted social engineering against IT personnel and senior leadership, exploiting Microsoft’s Self-Service Password Reset (SSPR) feature. Attackers impersonated IT support, tricking victims into approving fraudulent multifactor authentication (MFA) prompts, allowing them to reset passwords and register their own devices for persistent access.
Once inside, Storm-0249 used custom Python scripts and Microsoft Graph API to enumerate users, roles, and applications, stealing sensitive documents including VPN configurations from OneDrive and SharePoint. This initial breach served as a foothold to map the organization’s broader infrastructure.
Exploiting privileged Azure RBAC roles, the attackers pivoted to Azure, initially targeting auxiliary Azure App Service web apps to retrieve publishing profiles. When this failed to grant access to the primary production app, they shifted tactics, compromising the Azure Key Vault in just four minutes. They extracted database connection strings and credentials, enabling authentication into the production environment.
The attack escalated as Storm-0249 modified Azure SQL firewall rules and Azure Storage network configurations, enabling public access from attacker-controlled IPs (176.123.4.44, 91.208.197.87). Using shared access signature (SAS) tokens and Python scripts, they siphoned large volumes of data. Additionally, they abused Azure VM extensions (Run Command, VMAccess) to create backdoor admin accounts, disable Microsoft Defender Antivirus, and deploy ScreenConnect (hosted at 185.241.208.243) to harvest credentials and certificate files.
The incident highlights the growing threat of cloud-native attacks that exploit legitimate tools and misconfigured permissions to bypass traditional security measures.
Source: https://cyberpress.org/hackers-abuse-azure-rbac/
Microsoft TPRM report: https://www.rankiteo.com/company/microsoft-threat-intelligence
"id": "mic1779704661",
"linkid": "microsoft-threat-intelligence",
"type": "Cyber Attack",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'type': 'Organization'}],
'attack_vector': ['Social Engineering',
'MFA Bypass',
'Cloud Misconfiguration'],
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Likely',
'sensitivity_of_data': 'High',
'type_of_data_compromised': ['Sensitive documents',
'VPN configurations',
'Database connection strings',
'Credentials',
'Certificate files']},
'description': 'Microsoft Threat Intelligence has exposed a sophisticated '
'cyberattack by the threat actor Storm-0249, which leveraged '
'legitimate cloud tools and Azure role-based access control '
'(RBAC) to exfiltrate sensitive data from Microsoft 365 and '
'Azure environments. The attack began with highly targeted '
'social engineering against IT personnel and senior '
'leadership, exploiting Microsoft’s Self-Service Password '
'Reset (SSPR) feature. Attackers impersonated IT support, '
'tricking victims into approving fraudulent multifactor '
'authentication (MFA) prompts, allowing them to reset '
'passwords and register their own devices for persistent '
'access. Once inside, Storm-0249 used custom Python scripts '
'and Microsoft Graph API to enumerate users, roles, and '
'applications, stealing sensitive documents including VPN '
'configurations from OneDrive and SharePoint. Exploiting '
'privileged Azure RBAC roles, the attackers pivoted to Azure, '
'targeting auxiliary Azure App Service web apps to retrieve '
'publishing profiles. When this failed, they compromised the '
'Azure Key Vault in just four minutes, extracting database '
'connection strings and credentials to access the production '
'environment. The attack escalated as Storm-0249 modified '
'Azure SQL firewall rules and Azure Storage network '
'configurations, enabling public access from '
'attacker-controlled IPs. Using shared access signature (SAS) '
'tokens and Python scripts, they siphoned large volumes of '
'data. Additionally, they abused Azure VM extensions to create '
'backdoor admin accounts, disable Microsoft Defender '
'Antivirus, and deploy ScreenConnect to harvest credentials '
'and certificate files.',
'impact': {'data_compromised': 'Sensitive documents, VPN configurations, '
'database connection strings, credentials, '
'certificate files',
'identity_theft_risk': 'High',
'operational_impact': 'Data exfiltration, unauthorized access, '
'backdoor admin accounts, disabled security '
'tools',
'systems_affected': ['Microsoft 365',
'Azure',
'OneDrive',
'SharePoint',
'Azure App Service',
'Azure Key Vault',
'Azure SQL',
'Azure Storage',
'Azure VM']},
'initial_access_broker': {'backdoors_established': 'Yes (ScreenConnect, '
'backdoor admin accounts)',
'entry_point': 'Social Engineering (SSPR and MFA '
'Bypass)',
'high_value_targets': 'IT personnel, senior '
'leadership'},
'lessons_learned': 'The incident highlights the growing threat of '
'cloud-native attacks that exploit legitimate tools and '
'misconfigured permissions to bypass traditional security '
'measures.',
'post_incident_analysis': {'root_causes': ['Exploitation of SSPR and MFA '
'prompts',
'Azure RBAC misconfigurations',
'Compromised Azure Key Vault']},
'references': [{'source': 'Microsoft Threat Intelligence'}],
'threat_actor': 'Storm-0249',
'title': 'Microsoft Uncovers Storm-0249’s Cloud-Based Data Exfiltration '
'Attack Targeting Azure and Microsoft 365',
'type': 'Data Exfiltration',
'vulnerability_exploited': ['Self-Service Password Reset (SSPR)',
'Azure RBAC Misconfiguration',
'Azure Key Vault Compromise']}