Storm-2949 Abuses SSPR for Cloud-Wide Data Exfiltration

Storm-2949 conducted a multi-layered attack targeting cloud infrastructure by exploiting compromised identities rather than relying on traditional malware. Starting in May 2026, the actor targeted specific users through social engineering, abusing Microsoft’s Self-Service Password Reset (SSPR) to bypass MFA and gain persistent access to Microsoft Entra ID. Once inside, they moved laterally through the victim’s Microsoft 365 applications, file-hosting services, and Azure-hosted production environments, exfiltrating sensitive data. This campaign highlights the increasing focus of threat actors on cloud identities and control plane access, using legitimate administrative features for malicious purposes. The attack leveraged the Microsoft Graph API for directory discovery, enumerating users and applications within the tenant to identify high-value targets.

Attack Chain

1. Initial Access via Social Engineering: Storm-2949 initiates the SSPR process for targeted users, then uses social engineering (e.g., impersonating IT support) to trick them into approving MFA prompts.
2. MFA Bypass: Once the user approves the prompts, the attacker resets the password and removes existing authentication methods (phone numbers, email addresses, Microsoft Authenticator registrations).
3. Persistence via New MFA Enrollment: The attacker re-enables MFA and registers a new authentication method on their own device, granting themselves persistent access.
4. Directory Discovery: Using compromised credentials, the attacker conducts directory discovery using Microsoft Graph API to enumerate users and applications within the tenant.
5. Privilege Escalation: The attacker identifies privileged accounts to target for further compromise.
6. Lateral Movement: Leveraging control-plane access, the actor moves laterally across cloud and endpoint environments.
7. Access Cloud Resources: The attacker accesses sensitive cloud resources such as Key Vaults and storage accounts.
8. Data Exfiltration: The actor exfiltrates sensitive data from Microsoft 365 applications, file-hosting services, and Azure-hosted production environments.

Impact

The Storm-2949 campaign resulted in the exfiltration of sensitive data from multiple areas of the victim organization’s cloud infrastructure, including Microsoft 365 applications and Azure-hosted environments. The attackers specifically targeted high-value assets, including those within SaaS, PaaS, and IaaS layers. The compromise of IT personnel and senior leadership suggests significant potential for widespread damage. The number of affected users and the total volume of exfiltrated data are not specified in the report.

Recommendation

• Implement robust MFA policies and educate users about social engineering tactics targeting SSPR. Deploy the rule Detect SSPR Abuse via Authentication Method Changes to identify potential MFA bypass attempts.
• Monitor Microsoft Graph API usage for unusual enumeration activities. Deploy the rule Detect Microsoft Graph API Directory Enumeration to identify suspicious user and application enumeration patterns.
• Review and harden Azure role-based access control (RBAC) policies to limit lateral movement.
• Implement behavior-based detections across endpoints, cloud environments, and identities, like those provided by Microsoft Defender XDR.
• Regularly review and audit user accounts, especially those with elevated privileges, for any unauthorized changes to authentication methods or permissions.