preloader

· security azure cloud devops identity

Storm-2949 Compromised Azure and Microsoft 365 Without Deploying Any Malware

Source: Microsoft Security Blog

On May 18, 2026, Microsoft Threat Intelligence published a detailed breakdown of Storm-2949, a threat actor whose campaign against a financial services organisation demonstrated something increasingly common in cloud security incidents: a full tenant compromise achieved without a single piece of malware or a single unpatched vulnerability.

How the attack worked

Storm-2949 began by abusing Microsoft’s Self-Service Password Reset (SSPR) process. SSPR is a standard Entra ID feature that lets users reset their own passwords after completing identity verification. The attackers did not find a technical flaw in SSPR. Instead, they initiated a password reset on behalf of a targeted user and then called the user, impersonating IT support, and guided them through completing the resulting MFA prompt. The prompt was entirely legitimate, generated by Microsoft’s own infrastructure, which is precisely what made it convincing.

Victims were not selected at random. Storm-2949 targeted IT administrators and senior leadership first, accounts whose credentials gave the widest subsequent access. Once a foothold account was under their control, the attacker used it to pivot into the cloud environment using ordinary management interfaces rather than exploitation tools.

What the attackers accessed

The second phase of the attack moved systematically through the organisation’s cloud footprint. From the initial compromised identity, the attackers moved into OneDrive and SharePoint, pulling documents focused on VPN configurations and remote access procedures. Those documents gave them the network context they needed to move further.

From there the attackers reached Azure App Services, Key Vault, Storage accounts, SQL databases, and production virtual machines. Extracting Key Vault secrets in particular is significant because organisations frequently store database connection strings, API keys, and certificate private keys in Key Vault, treating it as a trusted secrets store that is only accessible to authorised managed identities and service principals. A compromised Entra ID account with sufficient permissions bypasses all of that.

The attackers also deployed ScreenConnect, a legitimate remote access tool, onto virtual machines to support ongoing reconnaissance and credential harvesting without drawing attention to unusual process activity on endpoints.

Why no malware makes detection harder

The pattern that makes Storm-2949 distinctive is the near-total reliance on legitimate tooling. Password resets are normal events. MFA completions are normal events. Administrator accounts accessing SharePoint and Key Vault are normal events. ScreenConnect is used by thousands of IT teams for legitimate remote support. Without a baseline understanding of what normal identity and cloud management activity looks like for a specific tenant, security monitoring tools have nothing anomalous to flag.

This is the core challenge: signature-based and behaviour-pattern detection built around malware indicators will not catch an attacker who never deploys malware. Detection requires understanding legitimate-but-unusual access patterns, such as an account that never previously accessed Key Vault suddenly reading every secret, or an identity that does not normally call the Azure management API issuing resource enumeration queries.

What organisations running Azure and Microsoft 365 should do

The SSPR abuse path requires a user to comply with a social engineering call. Conditional access policies that restrict SSPR to approved devices or named network locations significantly reduce the success rate of this technique. Organisations should also review which accounts have SSPR enabled and consider whether privileged administrator accounts need it at all.

Key Vault access should be governed by narrow managed identity assignments and reviewed regularly. Alerts on first-time access to Key Vault by any identity, and on bulk secret reads, are among the highest-value detections an Azure environment can have.

Microsoft Defender for Identity and Entra ID Protection both generate signals relevant to SSPR abuse. Ensuring those signals reach a security operations function, rather than sitting in a dashboard that nobody reviews, is the operational prerequisite for acting on them.

If your organisation uses Azure or Microsoft 365 and wants a review of its identity security posture, cloud access controls, or SSPR configuration, contact Excello Digital. We help teams understand their cloud exposure before a threat actor does.

Back to news

We’ll help you resolve your infrastructure challenges

Our team of experts is ready to help you with your infrastructure challenges. We’ll give you honest and personal treatment. Get in touch to learn more.

Get in touch!