Full Report
A threat actor targeting Microsoft 365 and Azure production environments is stealing data in attacks that abuse legitimate applications and administration features. [...]
Analysis Summary
# Incident Report: Abuse of Microsoft SSPR and Azure Admin Features by Storm-2949
## Executive Summary
A threat actor tracked as Storm-2949 targeted Microsoft 365 and Azure production environments to exfiltrate high-value sensitive data. By abusing the Self-Service Password Reset (SSPR) flow and social engineering, the actor hijacked privileged accounts to gain deep access into cloud infrastructure, including Key Vaults, SQL databases, and virtual machines. The incident highlights the risk of "MFA fatigue" and the exploitation of legitimate cloud management tools for data theft.
## Incident Details
- **Discovery Date:** May 18, 2026 (Publication Date)
- **Incident Date:** Circa 2024–2026
- **Affected Organization:** Not disclosed (Multiple targets)
- **Sector:** Cross-sector (targets with high-value Azure production assets)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing/Variable
- **Vector:** Social Engineering & SSPR Abuse
- **Details:** The actor initiated a Self-Service Password Reset (SSPR) for privileged users. Posing as IT support, they called victims to "verify" accounts, tricking them into approving MFA prompts. Once approved, the actor hijacked the account, reset the password, and registered their own Microsoft Authenticator device.
### Lateral Movement
- The actor used the Microsoft Graph API and custom Python scripts to enumerate the Entra ID environment.
- They pivoted from M365 (SharePoint/OneDrive) to Azure infrastructure by leveraging the RBAC permissions of hijacked identities.
### Data Exfiltration/Impact
- **M365:** Downloaded thousands of files via OneDrive, seeking VPN configs and IT operational manuals.
- **Azure:** Stole secrets from Key Vaults, accessed SQL databases, and exfiltrated data from App Services and Storage Accounts using custom scripts.
### Detection & Response
- **Detection:** Microsoft identified the cluster of activity through behavioral patterns in Entra ID and Azure Resource Manager (ARM).
- **Response:** Microsoft published a formal report with IOCs and hardening guidance; organizations were advised to restrict RBAC and implement phishing-resistant MFA.
## Attack Methodology
- **Initial Access:** Valid accounts obtained via SSPR abuse and MFA social engineering.
- **Persistence:** Registration of attacker-controlled Microsoft Authenticator devices and creation of rogue admin accounts on VMs.
- **Privilege Escalation:** Exploitation of existing privileged Azure RBAC roles (e.g., Subscription Admin/Contributor).
- **Defense Evasion:** Use of legitimate admin tools (Kudu, VMAccess, Run Command); attempted to disable Microsoft Defender and wipe forensic logs.
- **Credential Access:** Theft of secrets from Azure Key Vault; retrieval of Storage SAS tokens and database connection strings.
- **Discovery:** Microsoft Graph API and Python scripts used to enumerate users, roles, and service principals.
- **Lateral Movement:** Pivoting from cloud identities to Azure App Services (via Kudu/FTP) and Virtual Machines.
- **Collection:** Bulk downloads from SharePoint and OneDrive; SQL database harvesting.
- **Exfiltration:** Custom Python scripts and legitimate web interfaces.
- **Impact:** Massive data theft and potential long-term access to production environments.
## Impact Assessment
- **Financial:** High (Potential loss of proprietary IP and production disruption).
- **Data Breach:** High-volume theft of sensitive documents, internal VPN configurations, and production database contents.
- **Operational:** Disruption due to unauthorized configuration changes (SQL firewall rules, VM admin changes).
- **Reputational:** Moderate to High; involves compromise of high-level leadership and IT accounts.
## Indicators of Compromise
- **Network:** Use of ScreenConnect for remote access.
- **File:** Custom Python scripts for data enumeration and exfiltration.
- **Behavioral:**
- Unexpected SSPR requests followed by MFA approvals.
- Bulk downloads from OneDrive/SharePoint from new IP addresses.
- Rapid modification of Azure Key Vault access policies and SQL firewall rules.
- Execution of "Run Command" and "VMAccess" extensions on Azure VMs.
## Response Actions
- **Containment:** Revocation of compromised sessions and removal of attacker-registered MFA devices.
- **Eradication:** Deletion of rogue local VM accounts and rotating all secrets/keys stored in compromised Key Vaults.
- **Recovery:** Restoring security configurations (Firewalls, Defender settings) and resetting administrative passwords.
## Lessons Learned
- **MFA Vulnerability:** Standard MFA (Push notifications) is vulnerable to social engineering and fatigue; phishing-resistant MFA (FIDO2) is necessary for privileged roles.
- **SSPR Risk:** Improperly secured Self-Service Password Reset flows can be weaponized to bypass existing security controls.
- **RBAC Over-provisioning:** Attackers capitalize on users having broad "Contributor" or "Owner" permissions across entire subscriptions.
## Recommendations
1. **Enforce Phishing-Resistant MFA:** Require FIDO2 security keys for all IT and executive roles.
2. **Harden SSPR:** Restrict who can perform SSPR and monitor for successful resets following denied MFA attempts.
3. **Least Privilege:** Transition to Just-In-Time (JIT) access and minimize permanent RBAC assignments.
4. **Monitoring:** Enable and review logs for Azure Key Vault (up to 1 year) and monitor for "High Risk" ARM operations.
5. **Network Security:** Restrict public access to Azure Key Vaults and Storage Accounts using Private Links and Service Endpoints.