{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/microsoft-azure/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":["Storm-2949"],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Entra ID","Microsoft 365","Microsoft Authenticator","Microsoft Azure"],"_cs_severities":["high"],"_cs_tags":["cloud-security","credential-access","data-exfiltration","social-engineering"],"_cs_type":"threat","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eStorm-2949 conducted a multi-layered attack targeting cloud infrastructure by exploiting compromised identities rather than relying on traditional malware. Starting in May 2026, the actor targeted specific users through social engineering, abusing Microsoft\u0026rsquo;s Self-Service Password Reset (SSPR) to bypass MFA and gain persistent access to Microsoft Entra ID. Once inside, they moved laterally through the victim\u0026rsquo;s Microsoft 365 applications, file-hosting services, and Azure-hosted production environments, exfiltrating sensitive data. This campaign highlights the increasing focus of threat actors on cloud identities and control plane access, using legitimate administrative features for malicious purposes. The attack leveraged the Microsoft Graph API for directory discovery, enumerating users and applications within the tenant to identify high-value targets.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access via Social Engineering:\u003c/strong\u003e Storm-2949 initiates the SSPR process for targeted users, then uses social engineering (e.g., impersonating IT support) to trick them into approving MFA prompts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMFA Bypass:\u003c/strong\u003e Once the user approves the prompts, the attacker resets the password and removes existing authentication methods (phone numbers, email addresses, Microsoft Authenticator registrations).\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePersistence via New MFA Enrollment:\u003c/strong\u003e The attacker re-enables MFA and registers a new authentication method on their own device, granting themselves persistent access.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDirectory Discovery:\u003c/strong\u003e Using compromised credentials, the attacker conducts directory discovery using Microsoft Graph API to enumerate users and applications within the tenant.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrivilege Escalation:\u003c/strong\u003e The attacker identifies privileged accounts to target for further compromise.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement:\u003c/strong\u003e Leveraging control-plane access, the actor moves laterally across cloud and endpoint environments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAccess Cloud Resources:\u003c/strong\u003e The attacker accesses sensitive cloud resources such as Key Vaults and storage accounts.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The actor exfiltrates sensitive data from Microsoft 365 applications, file-hosting services, and Azure-hosted production environments.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Storm-2949 campaign resulted in the exfiltration of sensitive data from multiple areas of the victim organization\u0026rsquo;s cloud infrastructure, including Microsoft 365 applications and Azure-hosted environments. The attackers specifically targeted high-value assets, including those within SaaS, PaaS, and IaaS layers. The compromise of IT personnel and senior leadership suggests significant potential for widespread damage. The number of affected users and the total volume of exfiltrated data are not specified in the report.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement robust MFA policies and educate users about social engineering tactics targeting SSPR. Deploy the rule \u003ccode\u003eDetect SSPR Abuse via Authentication Method Changes\u003c/code\u003e to identify potential MFA bypass attempts.\u003c/li\u003e\n\u003cli\u003eMonitor Microsoft Graph API usage for unusual enumeration activities. Deploy the rule \u003ccode\u003eDetect Microsoft Graph API Directory Enumeration\u003c/code\u003e to identify suspicious user and application enumeration patterns.\u003c/li\u003e\n\u003cli\u003eReview and harden Azure role-based access control (RBAC) policies to limit lateral movement.\u003c/li\u003e\n\u003cli\u003eImplement behavior-based detections across endpoints, cloud environments, and identities, like those provided by Microsoft Defender XDR.\u003c/li\u003e\n\u003cli\u003eRegularly review and audit user accounts, especially those with elevated privileges, for any unauthorized changes to authentication methods or permissions.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-18T23:34:36Z","date_published":"2026-05-18T23:34:36Z","id":"https://feed.craftedsignal.io/briefs/2026-05-storm-2949-cloud-breach/","summary":"Storm-2949 compromised cloud identities through social engineering and abused the Self-Service Password Reset (SSPR) process to bypass MFA and gain persistent access, enabling lateral movement and data exfiltration from Microsoft 365 and Azure environments.","title":"Storm-2949 Abuses SSPR for Cloud-Wide Data Exfiltration","url":"https://feed.craftedsignal.io/briefs/2026-05-storm-2949-cloud-breach/"}],"language":"en","title":"CraftedSignal Threat Feed — Microsoft Azure","version":"https://jsonfeed.org/version/1.1"}