Storm-2949 Azure Breach: How Identity Compromise Drives M365 Data Exfiltration
In a sophisticated evolution of cloud-based intrusions, a threat actor tracked as Storm-2949 has demonstrated a high level of operational maturity by targeting identity as the primary attack vector. Rather than relying on traditional malware or zero-day exploits, this actor leverages legitimate cloud management workflows to orchestrate large-scale data exfiltration across Microsoft 365 and Azure ecosystems.
This methodology represents a significant shift in the threat landscape. According to Microsoft security research, the campaign highlights how attackers are increasingly prioritizing identity compromise over payload deployment to maintain a stealthy, “living-off-the-cloud” presence.
The Initial Breach: Social Engineering and MFA Fatigue
The attack lifecycle begins with highly targeted social engineering directed at privileged users, specifically IT administrators and senior executives. The actor exploits the inherent trust within the Microsoft Self-Service Password Reset (SSPR) workflow.
By impersonating IT support personnel, the attackers manipulate victims into approving Multi-Factor Authentication (MFA) prompts under the guise of account verification. Once an MFA request is successfully intercepted or approved via “MFA fatigue” tactics, the attackers move swiftly to achieve persistence. They perform unauthorized password resets and purge existing authentication methods, replacing them with attacker-controlled MFA devices to effectively lock legitimate administrators out of their own tenants.
Lateral Movement: From SaaS to PaaS and IaaS
Once the Entra ID account is compromised, Storm-2949 transitions from identity theft to rapid data harvesting. The initial stage focuses on Software-as-a-Service (SaaS) environments, specifically targeting OneDrive and SharePoint repositories. The attackers prioritize high-value intelligence, such as VPN configurations and remote access protocols, to facilitate deeper penetration into the network.

After establishing a foothold in the SaaS layer, the actor leverages Role-Based Access Control (RBAC) permissions to pivot into the Platform-as-a-Service (PaaS) and Infrastructure-as-a-Service (IaaS) layers. The scope of their reach includes:
- Azure App Services: Abusing the management plane to retrieve publishing profiles and access Kudu administrative interfaces.
- Azure Key Vault: Exploiting “Owner” level permissions to modify access policies and extract sensitive connection strings and secrets.
- Azure Storage & SQL: Modifying firewall rules to permit external access and retrieving Storage Account keys or SAS tokens for bulk data egress.
The attackers demonstrated technical ingenuity by utilizing the Azure Instance Metadata Service (IMDS) to authenticate and retrieve secrets from Key Vaults associated with production web applications.

To maintain a low profile, the actor utilized custom Python scripts integrated with the Azure SDK for automated data collection, and they meticulously reverted firewall and configuration changes once the exfiltration was complete to evade detection by security monitoring tools.
Endpoint Persistence and Evasion
Beyond the cloud control plane, Storm-2949 targeted Azure Virtual Machines (VMs). By abusing the VMAccess extension, the attackers were able to inject new administrative accounts and execute remote commands via the “Run Command” feature. To ensure long-term access, they deployed ScreenConnect (a legitimate remote monitoring tool) and attempted to disable Microsoft Defender protections and clear system logs to minimize the forensic trail.
Strategic Defense and Mitigation
The detection of this campaign was made possible through the correlation of signals across identity, cloud, and endpoint telemetry—a capability provided by integrated XDR (Extended Detection and Response) solutions. To defend against similar identity-centric threats, organizations should implement the following technical controls:
- Hardened MFA: Move beyond push notifications to phishing-resistant MFA (such as FIDO2 security keys) to mitigate SSPR exploitation.
- Strict RBAC Enforcement: Implement the Principle of Least Privilege (PoLP) to ensure that compromised identities cannot access critical Key Vaults or App Services.
- Continuous Monitoring: Audit Microsoft Graph API activity and monitor for anomalous “Mass Download” events in SharePoint or OneDrive.
- Cloud Infrastructure Entitlement Management (CIEM): Regularly review and prune over-privileged service principals and administrative roles.
Indicators of Compromise (IOCs)
Attacker egress pointAttacker egress pointScreenConnect instance utilized by actor
| Indicator | Type | Description |
|---|---|---|
| 176.123.4[.]44 | IP Address | |
| 91.208.197[.]87 | IP Address | |
| 185.241.208[.]243 | IP Address |
Note: IP addresses have been defanged (e.g., [.]) to prevent accidental execution. Please re-fang these indicators only within your secure SIEM, MISP, or threat intelligence environment.