Storm‑2949: How a Single Identity Compromise Led to a Cloud‑Wide Azure and Microsoft 365 Breach

This discovery stage allowed the attacker to map the organization’s cloud identity structure and identify paths for privilege escalation.

Abusing Self‑Service Password Reset to extend access

One key technique in the intrusion involved abusing Self‑Service Password Reset (SSPR) capabilities tied to Microsoft Entra ID accounts. By exploiting identity recovery workflows after compromising the account, the attacker was able to turn the initial foothold into more persistent and reliable access inside the tenant.

Because SSPR is a legitimate feature designed to help users recover accounts, malicious use of it can blend into normal authentication activity—especially when attackers already possess valid credentials or access to recovery mechanisms.

Privilege escalation through Microsoft Graph and Azure RBAC

After discovering valuable identities and services, the attacker escalated privileges through cloud control‑plane mechanisms rather than traditional system exploits.

Two key components enabled this escalation:

• Microsoft Graph API activity, which allowed the attacker to enumerate and interact with directory objects.
• Azure role‑based access control (RBAC), which governs permissions for Azure resources.

By identifying accounts and roles with elevated privileges, the attacker could gain broader administrative capabilities within the cloud environment and extend their reach across multiple services.

Access to critical Azure resources

Once higher privileges were obtained, the actor accessed several types of Azure resources, including:

• App Services
• Key Vaults
• SQL databases
• Virtual machines

These resources often hold application secrets, credentials, operational data, or sensitive enterprise workloads, making them high‑value targets in cloud intrusions.

The attack demonstrated how identity‑level compromise can cascade into access to production infrastructure when permissions and resource access are not tightly constrained.

Blending in by abusing legitimate admin tools

A major reason the activity remained difficult to detect is that the attacker relied on built‑in administrative tooling rather than deploying malware or external utilities.

Microsoft observed the use of legitimate Azure management features including:

• VMAccess
• Run Command
• PowerShell

Because these tools are commonly used by administrators, malicious activity carried out through them can appear similar to normal operational tasks in logs and monitoring systems.

This tactic allowed the attacker to move laterally and interact with resources while maintaining a low detection profile.

Data exfiltration over multiple days

The intrusion culminated in sustained data exfiltration over several days, during which sensitive information was extracted from the compromised cloud environment.

The multi‑day timeframe suggests the actor was able to maintain ongoing access and operate within the tenant without immediately triggering defensive controls.

Why identity‑driven cloud attacks are hard to detect

Storm‑2949 illustrates a broader trend in cloud security incidents: attackers increasingly exploit identity systems and legitimate APIs instead of malware.

Key reasons these attacks are difficult to detect include:

• Use of valid credentials and legitimate authentication flows
• API‑driven enumeration that resembles automation or administrative tasks
• Privilege escalation through built‑in permission systems rather than exploits
• Reliance on official cloud administration tools

When attackers operate entirely within trusted services, traditional endpoint security tools may see little or no suspicious activity.

Microsoft’s security recommendations

Microsoft recommends strengthening identity security and monitoring cloud control‑plane activity to reduce the risk of similar attacks.

Key defensive measures include:

Harden identity protection

Organizations should ensure strong authentication protections so a single compromised account cannot lead to full tenant compromise.

Secure Self‑Service Password Reset (SSPR)

Review SSPR configurations carefully—especially for privileged users—and ensure recovery mechanisms cannot be easily abused.

Enforce strong MFA and conditional access

Multifactor authentication and contextual access controls help reduce the value of stolen credentials.

Monitor Microsoft Graph API activity

Security teams should watch for unusual enumeration patterns or automated directory queries, which may indicate reconnaissance activity inside a tenant.

Audit Azure RBAC permissions

Organizations should review role assignments and enforce least‑privilege access to prevent privilege escalation paths.

Monitor administrative tool usage

Alerts should be configured for suspicious use of administrative tools such as VMAccess, Run Command, or PowerShell in environments where they are rarely used.

Review access to sensitive Azure resources

High‑value services—including Key Vaults, databases, and production virtual machines—should have tightly controlled access and strong monitoring.

The bigger lesson from the Storm‑2949 attack

Storm‑2949 demonstrates that identity is now the primary attack surface in many cloud environments. When attackers control an account, they can often leverage APIs, permission systems, and administrative tools to move through the cloud without ever deploying malware.

For defenders, this means traditional security monitoring focused on endpoints or malicious binaries is no longer enough. Detecting modern cloud intrusions requires visibility into identity behavior, API usage, privilege assignments, and control‑plane activity across the entire tenant.