Storm-2949 Turned Entra ID Account Takeovers Into a Cloud-Wide Azure Breach
Microsoft reported that Storm-2949 used social engineering and abuse of Microsoft Self-Service Password Reset (SSPR) to compromise multiple Microsoft Entra ID accounts, including accounts tied to IT staff and senior leadership, then expanded access across Microsoft 365 and Azure. After the initial identity takeover, the actor conducted tenant discovery through the Microsoft Graph API, exfiltrated data from OneDrive and SharePoint, and sought persistence by re-registering MFA methods and attempting to abuse service principal credentials.
The intrusion then moved deeper into Azure, where Storm-2949 relied on legitimate management-plane operations and privileged Azure RBAC roles to access App Services, Key Vault, SQL databases, Storage accounts, and virtual machines. Microsoft said the actor used publish profiles, Key Vault permission changes, SQL firewall rule modifications, storage key listing, VMAccess, and Run Command to harvest credentials, execute code, deploy ScreenConnect on VMs, weaken Microsoft Defender Antivirus, and exfiltrate large volumes of data while blending into normal administrative activity; the group also cleared event logs and deleted artifacts to hinder detection.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Analysis reveals parallel Syncro/Servably use and new Storm-2949 detections
A follow-on analysis reported that Storm-2949 established persistence with both ConnectWise ScreenConnect and Syncro/Servably, not just ScreenConnect, and tied activity to operator-controlled infrastructure and tenant identifiers. The report also published YARA detections for Evilconwi ScreenConnect customization and a specific Syncro tenant, emphasizing attribution via infrastructure and behavioral telemetry rather than file hashes.
Microsoft publishes analysis of Storm-2949 cloud-wide breach techniques
Microsoft Threat Intelligence publicly described the Storm-2949 intrusion chain, emphasizing that the actor relied heavily on legitimate cloud administration features rather than malware-heavy tradecraft. Microsoft highlighted cross-domain detection, hardening, and least-privilege controls as key mitigations.
Actor deploys ScreenConnect and performs defense evasion and cleanup on Azure VMs
On Azure virtual machines, Storm-2949 deployed ScreenConnect, attempted to weaken Microsoft Defender Antivirus, and executed code while blending into administrative activity. The actor also cleared event logs and deleted artifacts to reduce forensic visibility.
Storm-2949 pivots into Azure using privileged RBAC and management-plane actions
The campaign expanded into Azure, where Storm-2949 abused legitimate management-plane operations and privileged Azure RBAC roles to access App Services, Key Vault, SQL databases, Storage accounts, and virtual machines. The actor used techniques including publish profiles, Key Vault access changes, SQL firewall rule modifications, storage key listing, VMAccess, and Run Command to broaden access and harvest credentials.
Actor conducts Microsoft 365 discovery and exfiltrates OneDrive and SharePoint data
After gaining identity access, the actor used Microsoft Graph API for tenant discovery and accessed Microsoft 365 resources. Data was exfiltrated from OneDrive and SharePoint, and the actor sought persistence through MFA re-registration and attempted service principal credential abuse.
Storm-2949 compromises Entra ID accounts via social engineering and SSPR abuse
Storm-2949 began the intrusion by targeting identities with social engineering and abusing Microsoft Self-Service Password Reset to take over multiple Microsoft Entra ID accounts. The compromised accounts included those belonging to IT personnel and senior leadership.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Storm-2949 Hijacks Azure Identity and Key Vaults in Catastrophic Cloud Campaign
securityonline.info
Open sourceStorm-2949 actor targets Microsoft 365 and Azure environments | brief | SC Media
scworld.com
Open sourceStorm-2949 CredPhish-to Entra ID Takeover with ScreenConnect Post-Exploit (case 68d) · GitHub
gist.github.com
Open sourceHow Storm-2949 turned a compromised identity into a cloud-wide breach : r/netsec
reddit.com
Open sourceHow Storm-2949 turned a compromised identity into a cloud-wide breach | Microsoft Security Blog
microsoft.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Storm-2755 Hijacks Microsoft 365 Sessions to Redirect Payroll Deposits
Microsoft said the financially motivated threat actor **Storm-2755** targeted Canadian employees in payroll diversion attacks by compromising Microsoft 365 accounts and changing salary payments to attacker-controlled bank accounts. The campaign used SEO poisoning and malvertising to lure victims to `bluegraintours[.]com`, where an adversary-in-the-middle phishing flow captured credentials, session cookies, and OAuth tokens, allowing the attackers to bypass MFA through token replay and gain persistent access to victim accounts. After entering compromised tenants, Storm-2755 searched for payroll and HR workflows, created inbox rules to hide messages about direct-deposit or banking changes, and in some cases manually accessed HR SaaS platforms such as **Workday** to alter payment details. Microsoft reported indicators including Entra error code `50199`, a user-agent shift to **Axios 1.7.9** with the same session ID, and recurring non-interactive **OfficeHome** sign-ins about every 30 minutes; the company said it assisted affected organizations, carried out tenant takedowns, and urged defenses including phishing-resistant MFA, token revocation, Conditional Access, continuous access evaluation, suspicious inbox-rule monitoring, and device compliance enforcement.
May 25, 2026
Storm-1175 Rapidly Exploits Web-Facing Flaws to Deploy Medusa Ransomware
Microsoft said threat actor **Storm-1175** is running high-tempo intrusions that exploit newly disclosed and, in some cases, previously unknown vulnerabilities in internet-facing systems to steal data and deploy **Medusa ransomware** within days or even 24 hours. The financially motivated group has heavily impacted healthcare organizations and also targeted education, professional services, and finance in Australia, the United Kingdom, and the United States. Since 2023, the actor has exploited more than 16 flaws across products including **Microsoft Exchange**, **PaperCut**, **Ivanti**, **ConnectWise ScreenConnect**, **JetBrains TeamCity**, **SimpleHelp**, **CrushFTP**, **GoAnywhere MFT**, **SmarterMail**, **SAP NetWeaver**, and **BeyondTrust**, with Microsoft also observing zero-day use against SmarterMail and GoAnywhere before public disclosure. After gaining access, Storm-1175 establishes persistence with new administrator accounts, web shells, and remote management tools, then moves laterally using LOLBins, **Impacket**, **PDQ Deployer**, and Cloudflare tunnels while stealing credentials from **LSASS**, `NTDS.dit`, `SAM`, and backup systems. Microsoft said the actor tampers with Microsoft Defender settings to reduce detection, uses **Bandizip** and **Rclone** for collection and exfiltration, and deploys Medusa through PDQ Deployer or Group Policy; the group has also shown interest in Linux targets such as vulnerable **Oracle WebLogic** servers. Microsoft urged organizations to reduce exposure of web-facing assets, patch quickly, enforce MFA on approved RMM tools, restrict local administrator rights, and enable protections such as **Credential Guard**, tamper protection, and Defender XDR attack disruption features.
Apr 7, 2026
Third-Party IT Provider Breach Enabled Stealthy Enterprise Intrusion
Microsoft Incident Response detailed a stealthy intrusion in which a threat actor gained access through a compromised third-party IT services provider and then abused trusted enterprise management tooling to operate inside the victim environment. Rather than relying on software exploits, the actor used **HPE Operations Manager** and **HPE Operations Agent** to run scripts, deployed web shells on internet-facing servers, and targeted systems including `WEB-01`, `WEB-02`, `DC01`, `DC02`, and `SQL-01`. Microsoft said the activity was discovered after a prolonged dwell time, with incident responders engaged on day 123. The attacker focused on persistence, credential theft, and lateral movement by abusing legitimate Windows mechanisms and valid accounts. Microsoft reported the use of a malicious network provider DLL and a malicious password filter DLL on domain controllers to intercept credentials, while RDP, WMI, and **ngrok** tunnels were used to move through the environment and bypass perimeter controls. Microsoft said no vulnerability in HPE Operations Agent was involved; the intrusion instead exploited trusted operational relationships, prompting recommendations for stronger EDR coverage, egress filtering, enhanced monitoring, and tighter validation of third-party and identity trust paths.
May 24, 2026