Cloud-focused cyberattacks are rapidly evolving, and the recent campaign attributed to Storm-2949 demonstrates how sophisticated threat actors are shifting away from traditional malware-driven intrusions toward identity-centric cloud compromise techniques. In this incident, attackers orchestrated a highly coordinated campaign targeting Microsoft 365, Microsoft Entra ID, Azure infrastructure, Azure Key Vaults, SQL databases, storage accounts, and virtual machines. Their ultimate objective was large-scale data exfiltration from high-value enterprise cloud assets.

Unlike legacy ransomware operators or endpoint-focused attackers, Storm-2949 relied heavily on legitimate cloud management capabilities, administrative APIs, and Azure control-plane permissions. This allowed the attackers to blend into normal enterprise administrative behavior while silently escalating privileges and expanding access across the victim’s environment. The attack highlights a dangerous cybersecurity trend: cloud identities have become the new perimeter.

The Initial Identity Compromise

The attack began with carefully executed social engineering campaigns targeting privileged users within the organization. Storm-2949 abused Microsoft’s Self-Service Password Reset (SSPR) workflow by manipulating users into approving fraudulent multifactor authentication (MFA) prompts. Attackers impersonated internal IT support personnel and convinced employees to authorize what appeared to be legitimate account verification requests.

Once MFA approval was granted, the attackers reset passwords, removed existing authentication methods, and registered their own Microsoft Authenticator devices. This effectively locked legitimate users out while establishing long-term persistence for the attackers. The campaign specifically targeted IT administrators and senior leadership personnel, indicating deliberate reconnaissance and strategic victim selection rather than opportunistic phishing.

Following the initial takeover, the attackers used Microsoft Graph API automation through custom Python scripts to enumerate users, applications, service principals, and privileged roles inside the Microsoft Entra ID tenant. Their objective was to identify additional privileged identities and uncover potential persistence opportunities within the organization’s cloud ecosystem.

Microsoft 365 Data Exfiltration Operations

After gaining cloud identity access, Storm-2949 pivoted toward Microsoft 365 services including OneDrive and SharePoint. Attackers systematically searched for sensitive documentation, particularly VPN configurations, remote access procedures, and internal IT operational data that could facilitate lateral movement into production systems.

The threat actor then initiated large-scale exfiltration activities by downloading thousands of files directly through the OneDrive web interface. Multiple compromised accounts were leveraged because each identity granted access to different file repositories and collaborative workspaces. This phase demonstrates how compromised SaaS identities can expose enormous volumes of organizational intelligence without triggering traditional malware detections.

Importantly, no custom malware was required. Every action relied on legitimate authentication flows and approved Microsoft cloud services, making the activity significantly harder to distinguish from normal enterprise usage patterns.

Azure Infrastructure Compromise and Lateral Movement

The campaign escalated dramatically once attackers identified compromised accounts with privileged Azure RBAC permissions across multiple subscriptions. Storm-2949 shifted its focus from SaaS applications to the victim’s Azure production infrastructure, targeting Azure App Services, Azure Key Vaults, Azure SQL servers, and Azure Storage accounts.

One particularly dangerous technique involved abusing the Azure management-plane operation microsoft.Web/sites/publishxml/action to retrieve publishing profiles from Azure App Services. These publishing profiles often contain deployment credentials that provide administrative access through FTP, Web Deploy, or the Kudu management console. By leveraging these built-in management capabilities, attackers gained visibility into application configurations and operational infrastructure without deploying malicious binaries.

When direct access to the primary production application failed, Storm-2949 pivoted toward Azure Key Vaults. Using compromised accounts with Owner-level RBAC privileges, the attackers modified Key Vault access policies and retrieved dozens of secrets including database credentials, application connection strings, and authentication tokens.

These secrets ultimately provided the access required to compromise the organization’s primary production web application, where attackers changed credentials to maintain persistent control before exfiltrating sensitive business data.

Storage, SQL, and Virtual Machine Exploitation

The attackers further expanded their campaign by manipulating Azure SQL firewall rules and Azure Storage account network configurations. They temporarily opened restricted services to attacker-controlled IP addresses, extracted access keys and Shared Access Signature (SAS) tokens, and downloaded large volumes of structured and unstructured data using custom Azure SDK automation tools.

Storm-2949 also abused Azure Virtual Machine administrative features such as Run Command and the VMAccess extension. These tools allowed attackers to create new administrator accounts on virtual machines, execute PowerShell scripts remotely, and attempt managed identity token theft via Azure Instance Metadata Service (IMDS).

In later stages, the attackers deployed ScreenConnect remote monitoring software after weakening Microsoft Defender protections. They attempted credential harvesting, certificate theft, domain reconnaissance, and forensic artifact cleanup to reduce detection visibility.

Detection Challenges in Modern Cloud Attacks

This campaign demonstrates why cloud-native attacks are exceptionally difficult to detect using traditional security models. Storm-2949 avoided noisy malware deployment and instead abused trusted administrative functions already available within Azure and Microsoft 365 environments. Since these operations originated from authenticated users with legitimate privileges, many security tools would classify the activity as normal administration.

Modern detection therefore requires behavioral analytics, identity telemetry correlation, and cross-domain visibility across endpoints, identities, SaaS platforms, and cloud infrastructure simultaneously. Organizations relying solely on endpoint protection solutions are increasingly vulnerable to identity-driven cloud attacks.

Our Opinion on the Storm-2949 Campaign

The Storm-2949 incident represents one of the clearest examples of how enterprise cybersecurity priorities must evolve in the cloud era. Traditional security architectures were designed around protecting endpoints and on-premises networks, but this campaign proves that identity systems and cloud control planes are now the most critical attack surfaces.

What makes this attack particularly alarming is not the use of advanced malware or zero-day vulnerabilities, but the strategic abuse of legitimate cloud administration capabilities. The attackers demonstrated deep knowledge of Azure management operations, RBAC inheritance, SaaS integrations, and cloud-native persistence techniques. This level of operational maturity indicates that cloud exploitation is becoming industrialized among sophisticated threat groups.

Organizations often underestimate the risks associated with privileged cloud roles and over-rely on MFA as a standalone defense mechanism. However, Storm-2949 showed that MFA can be bypassed through social engineering when users are not adequately trained to recognize manipulation tactics. Furthermore, excessive RBAC permissions allowed attackers to pivot rapidly across multiple services once a single identity was compromised.

In our assessment, the most important lesson from this incident is that visibility and behavioral monitoring across cloud environments are no longer optional. Enterprises must adopt zero-trust identity strategies, continuous privilege auditing, conditional access enforcement, and cloud-native threat detection platforms capable of correlating activity across identities, workloads, and infrastructure in real time. Without these capabilities, modern cloud attacks can remain undetected while attackers quietly exfiltrate sensitive business data for extended periods.