Microsoft Warns Storm-2949 Is Stealing Data From Microsoft 365 And Azure

Microsoft is tracking a threat actor known as Storm-2949 that is targeting Microsoft 365 and Azure production environments to steal sensitive data from high-value organizations, as Bleeping Computer writes.

The group focuses on privileged users, including IT staff and senior leadership, and uses social engineering to take over Microsoft Entra ID accounts. Once inside, the attackers move quickly across Microsoft 365 and Azure services to collect credentials, files, secrets, and infrastructure data.

Storm-2949 abuses password reset flows

Microsoft believes Storm-2949 abuses the Self-Service Password Reset flow to gain access to victim accounts. The attacker starts a password reset request and then tricks the user into approving MFA prompts.

The group reportedly poses as IT support and tells the victim that urgent account verification is required. After the victim approves the prompt, the attacker resets the password, removes existing MFA controls, and enrolls Microsoft Authenticator on a device controlled by the attacker.

Microsoft 365 data theft follows account takeover

After gaining access, Storm-2949 uses Microsoft Graph API and custom Python scripts to enumerate users, roles, applications, and service principals. The group also searches for ways to maintain access inside compromised environments.

The attackers then access OneDrive and SharePoint to look for VPN configurations, IT documentation, remote access details, and other sensitive files. Microsoft says this pattern was repeated across multiple compromised accounts, with different stolen identities exposing different shared folders and directories.

Storm-2949 also targets Azure resources

The campaign extends beyond Microsoft 365. Storm-2949 also moves into Azure infrastructure, targeting virtual machines, storage accounts, key vaults, app services, and SQL databases.

The attackers abuse privileged custom Azure RBAC roles across multiple subscriptions. In some cases, they use stolen permissions to access Azure App Services through FTP, Web Deploy, and the Kudu console, allowing them to browse files, inspect environment variables, and run commands remotely.

Key Vaults, storage accounts, and VMs are abused

Storm-2949 also modifies Azure Key Vault access settings and steals dozens of secrets, including database credentials and connection strings. The group targets Azure SQL servers and storage accounts to expand the amount of data it can steal.

The attackers change firewall and network access rules, retrieve storage keys and SAS tokens, and use custom Python scripts to exfiltrate data. They also abuse Azure VM features such as VMAccess and Run Command to create rogue administrator accounts and execute scripts.

Microsoft shares defense guidance

Microsoft says organizations should apply least privilege across accounts and cloud resources, enable Conditional Access policies, require MFA for all users, and use phishing-resistant MFA for privileged accounts.

Admins should also limit Azure RBAC permissions, restrict Key Vault access, disable public exposure where possible, keep Key Vault logs for up to one year, and monitor high-risk Azure management operations.

The warning comes as Microsoft continues to push users away from SMS authentication and toward safer options such as passkeys. The company also recently disrupted a malware-signing service that threat actors used to make malicious software appear trusted.